Solved

self signed certificate not working on IIS6

Posted on 2011-09-27
11
697 Views
Last Modified: 2012-08-13
I've been trying to get my self-signed certificate to work on my 2003 Server using IIS.  I installed the iis60rkt.exe and used selfssl.exe to created the certificate.  

Here is the command: selfssl /N:cn=apitest.domain.com /K:1024 /V:365 /S:1 /P:443 /T.  

I created it under the default web site.  I can view the certificate and everything appears to be fine.  No red Xs anywhere. Using the /T was the key to have it automatically adding itself to the Root CA certificates on the local computer.  After what appears to be a valid certificate, I go into IIS to assign a simple index.htm page in the default www folder.  I input 443 to the SSL port.  I click on Directory Security and click Edit at the bottom in the the Secure Communications settings.  I put a check mark on the Require Secure channel (SSL) and Require 128 bit encryption.  

Finally, I try the link https://apitest.domain.com and nothing.  I also try with ../index.htm but still nothing.  The error I receive is "Internet Explorer cannot display the web page."  I go back into IIS and remove the Require Secure channel and the page appears instantly in IE9.

I've created certreq.txt for many web sites and Exchange OWAs and never had a problem applying the ssl certificates.  It doesn't seem that difficult to me but I know I'm missing something.

I could use some help.

Mike
0
Comment
Question by:GabicusC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 16

Expert Comment

by:jessc7
ID: 36714072
Have you explicity bound port 443?
0
 

Author Comment

by:GabicusC
ID: 36714130
Here is the port assignment.

 Ports

self signed apitest cert

 APItest Cert

Require SSL

 Require SSL
0
 
LVL 16

Expert Comment

by:jessc7
ID: 36714132
Do you have any other web sites in IIS bound to port 443 using the same IP address? There are some limitations with IIS where this might cause a conflict.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:GabicusC
ID: 36715061
No, this is the only site that will be using port 443.
0
 
LVL 16

Expert Comment

by:jessc7
ID: 36716670
Hmm, yeah nothing stands out for me right away. Have you turned off "Friendly Errors" in IE, so you can hopefully see a more detailed error message?

Another thought - can you look at the IIS logs for any error messages or warnings?
0
 
LVL 19

Expert Comment

by:R--R
ID: 36716779
There may be issue with certificate, create another one and try..
0
 

Author Comment

by:GabicusC
ID: 36718213
Yeah, I've created about 6 certs all together. I removed the previous ones.  I think I need to test my procedures on another server with just the base IIS setup to confirm it works.

Thanks guys for trying!

Mike
0
 

Accepted Solution

by:
GabicusC earned 0 total points
ID: 36818827
I found the answer!!!

This issue occurs if the administrator who tries to create the certificate request does not have Full Control permissions on the files and the subfolders in the following folder:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

To resolve this issue, grant the administrator account Full Control on all files and subfolders in the MachineKeys folder. To do this, follow these steps:
1.      Click Start, click Run, type "\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\", and then click OK.
2.      Right-click MachineKeys, and then click Properties.
3.      On the Security tab, click Administrator or click the administrator group account you want, click to select the check box to enable Full Control permissions, and then click OK.

SEE: http://support.microsoft.com/kb/908572
0
 

Author Comment

by:GabicusC
ID: 36818833
After assigning the full permissions, remove the key and regenerate following the same steps and  commands as before.

Everything I did was correct.  I just didn't have the correct permissions.

0
 
LVL 16

Expert Comment

by:jessc7
ID: 36818921
Good find!
0
 

Author Closing Comment

by:GabicusC
ID: 36935268
People were helpful but this was an unusual situation and I ended up finding the solution by myself.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question