Solved

self signed certificate not working on IIS6

Posted on 2011-09-27
11
691 Views
Last Modified: 2012-08-13
I've been trying to get my self-signed certificate to work on my 2003 Server using IIS.  I installed the iis60rkt.exe and used selfssl.exe to created the certificate.  

Here is the command: selfssl /N:cn=apitest.domain.com /K:1024 /V:365 /S:1 /P:443 /T.  

I created it under the default web site.  I can view the certificate and everything appears to be fine.  No red Xs anywhere. Using the /T was the key to have it automatically adding itself to the Root CA certificates on the local computer.  After what appears to be a valid certificate, I go into IIS to assign a simple index.htm page in the default www folder.  I input 443 to the SSL port.  I click on Directory Security and click Edit at the bottom in the the Secure Communications settings.  I put a check mark on the Require Secure channel (SSL) and Require 128 bit encryption.  

Finally, I try the link https://apitest.domain.com and nothing.  I also try with ../index.htm but still nothing.  The error I receive is "Internet Explorer cannot display the web page."  I go back into IIS and remove the Require Secure channel and the page appears instantly in IE9.

I've created certreq.txt for many web sites and Exchange OWAs and never had a problem applying the ssl certificates.  It doesn't seem that difficult to me but I know I'm missing something.

I could use some help.

Mike
0
Comment
Question by:GabicusC
  • 6
  • 4
11 Comments
 
LVL 16

Expert Comment

by:jessc7
ID: 36714072
Have you explicity bound port 443?
0
 

Author Comment

by:GabicusC
ID: 36714130
Here is the port assignment.

 Ports

self signed apitest cert

 APItest Cert

Require SSL

 Require SSL
0
 
LVL 16

Expert Comment

by:jessc7
ID: 36714132
Do you have any other web sites in IIS bound to port 443 using the same IP address? There are some limitations with IIS where this might cause a conflict.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:GabicusC
ID: 36715061
No, this is the only site that will be using port 443.
0
 
LVL 16

Expert Comment

by:jessc7
ID: 36716670
Hmm, yeah nothing stands out for me right away. Have you turned off "Friendly Errors" in IE, so you can hopefully see a more detailed error message?

Another thought - can you look at the IIS logs for any error messages or warnings?
0
 
LVL 19

Expert Comment

by:R--R
ID: 36716779
There may be issue with certificate, create another one and try..
0
 

Author Comment

by:GabicusC
ID: 36718213
Yeah, I've created about 6 certs all together. I removed the previous ones.  I think I need to test my procedures on another server with just the base IIS setup to confirm it works.

Thanks guys for trying!

Mike
0
 

Accepted Solution

by:
GabicusC earned 0 total points
ID: 36818827
I found the answer!!!

This issue occurs if the administrator who tries to create the certificate request does not have Full Control permissions on the files and the subfolders in the following folder:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

To resolve this issue, grant the administrator account Full Control on all files and subfolders in the MachineKeys folder. To do this, follow these steps:
1.      Click Start, click Run, type "\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\", and then click OK.
2.      Right-click MachineKeys, and then click Properties.
3.      On the Security tab, click Administrator or click the administrator group account you want, click to select the check box to enable Full Control permissions, and then click OK.

SEE: http://support.microsoft.com/kb/908572
0
 

Author Comment

by:GabicusC
ID: 36818833
After assigning the full permissions, remove the key and regenerate following the same steps and  commands as before.

Everything I did was correct.  I just didn't have the correct permissions.

0
 
LVL 16

Expert Comment

by:jessc7
ID: 36818921
Good find!
0
 

Author Closing Comment

by:GabicusC
ID: 36935268
People were helpful but this was an unusual situation and I ended up finding the solution by myself.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
Preparing an email is something we should all take special care with – especially when the email is for somebody you may not know very well. The pressures of everyday working life stacked with a hectic office environment can make this a real challen…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question