Solved

self signed certificate not working on IIS6

Posted on 2011-09-27
11
684 Views
Last Modified: 2012-08-13
I've been trying to get my self-signed certificate to work on my 2003 Server using IIS.  I installed the iis60rkt.exe and used selfssl.exe to created the certificate.  

Here is the command: selfssl /N:cn=apitest.domain.com /K:1024 /V:365 /S:1 /P:443 /T.  

I created it under the default web site.  I can view the certificate and everything appears to be fine.  No red Xs anywhere. Using the /T was the key to have it automatically adding itself to the Root CA certificates on the local computer.  After what appears to be a valid certificate, I go into IIS to assign a simple index.htm page in the default www folder.  I input 443 to the SSL port.  I click on Directory Security and click Edit at the bottom in the the Secure Communications settings.  I put a check mark on the Require Secure channel (SSL) and Require 128 bit encryption.  

Finally, I try the link https://apitest.domain.com and nothing.  I also try with ../index.htm but still nothing.  The error I receive is "Internet Explorer cannot display the web page."  I go back into IIS and remove the Require Secure channel and the page appears instantly in IE9.

I've created certreq.txt for many web sites and Exchange OWAs and never had a problem applying the ssl certificates.  It doesn't seem that difficult to me but I know I'm missing something.

I could use some help.

Mike
0
Comment
Question by:GabicusC
  • 6
  • 4
11 Comments
 
LVL 16

Expert Comment

by:jessc7
ID: 36714072
Have you explicity bound port 443?
0
 

Author Comment

by:GabicusC
ID: 36714130
Here is the port assignment.

 Ports

self signed apitest cert

 APItest Cert

Require SSL

 Require SSL
0
 
LVL 16

Expert Comment

by:jessc7
ID: 36714132
Do you have any other web sites in IIS bound to port 443 using the same IP address? There are some limitations with IIS where this might cause a conflict.
0
 

Author Comment

by:GabicusC
ID: 36715061
No, this is the only site that will be using port 443.
0
 
LVL 16

Expert Comment

by:jessc7
ID: 36716670
Hmm, yeah nothing stands out for me right away. Have you turned off "Friendly Errors" in IE, so you can hopefully see a more detailed error message?

Another thought - can you look at the IIS logs for any error messages or warnings?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 19

Expert Comment

by:R--R
ID: 36716779
There may be issue with certificate, create another one and try..
0
 

Author Comment

by:GabicusC
ID: 36718213
Yeah, I've created about 6 certs all together. I removed the previous ones.  I think I need to test my procedures on another server with just the base IIS setup to confirm it works.

Thanks guys for trying!

Mike
0
 

Accepted Solution

by:
GabicusC earned 0 total points
ID: 36818827
I found the answer!!!

This issue occurs if the administrator who tries to create the certificate request does not have Full Control permissions on the files and the subfolders in the following folder:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

To resolve this issue, grant the administrator account Full Control on all files and subfolders in the MachineKeys folder. To do this, follow these steps:
1.      Click Start, click Run, type "\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\", and then click OK.
2.      Right-click MachineKeys, and then click Properties.
3.      On the Security tab, click Administrator or click the administrator group account you want, click to select the check box to enable Full Control permissions, and then click OK.

SEE: http://support.microsoft.com/kb/908572
0
 

Author Comment

by:GabicusC
ID: 36818833
After assigning the full permissions, remove the key and regenerate following the same steps and  commands as before.

Everything I did was correct.  I just didn't have the correct permissions.

0
 
LVL 16

Expert Comment

by:jessc7
ID: 36818921
Good find!
0
 

Author Closing Comment

by:GabicusC
ID: 36935268
People were helpful but this was an unusual situation and I ended up finding the solution by myself.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now