• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 722
  • Last Modified:

self signed certificate not working on IIS6

I've been trying to get my self-signed certificate to work on my 2003 Server using IIS.  I installed the iis60rkt.exe and used selfssl.exe to created the certificate.  

Here is the command: selfssl /N:cn=apitest.domain.com /K:1024 /V:365 /S:1 /P:443 /T.  

I created it under the default web site.  I can view the certificate and everything appears to be fine.  No red Xs anywhere. Using the /T was the key to have it automatically adding itself to the Root CA certificates on the local computer.  After what appears to be a valid certificate, I go into IIS to assign a simple index.htm page in the default www folder.  I input 443 to the SSL port.  I click on Directory Security and click Edit at the bottom in the the Secure Communications settings.  I put a check mark on the Require Secure channel (SSL) and Require 128 bit encryption.  

Finally, I try the link https://apitest.domain.com and nothing.  I also try with ../index.htm but still nothing.  The error I receive is "Internet Explorer cannot display the web page."  I go back into IIS and remove the Require Secure channel and the page appears instantly in IE9.

I've created certreq.txt for many web sites and Exchange OWAs and never had a problem applying the ssl certificates.  It doesn't seem that difficult to me but I know I'm missing something.

I could use some help.

Mike
0
Richard Comito
Asked:
Richard Comito
  • 6
  • 4
1 Solution
 
jessc7Commented:
Have you explicity bound port 443?
0
 
Richard ComitoDirector of ITAuthor Commented:
Here is the port assignment.

 Ports

self signed apitest cert

 APItest Cert

Require SSL

 Require SSL
0
 
jessc7Commented:
Do you have any other web sites in IIS bound to port 443 using the same IP address? There are some limitations with IIS where this might cause a conflict.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Richard ComitoDirector of ITAuthor Commented:
No, this is the only site that will be using port 443.
0
 
jessc7Commented:
Hmm, yeah nothing stands out for me right away. Have you turned off "Friendly Errors" in IE, so you can hopefully see a more detailed error message?

Another thought - can you look at the IIS logs for any error messages or warnings?
0
 
R--RCommented:
There may be issue with certificate, create another one and try..
0
 
Richard ComitoDirector of ITAuthor Commented:
Yeah, I've created about 6 certs all together. I removed the previous ones.  I think I need to test my procedures on another server with just the base IIS setup to confirm it works.

Thanks guys for trying!

Mike
0
 
Richard ComitoDirector of ITAuthor Commented:
I found the answer!!!

This issue occurs if the administrator who tries to create the certificate request does not have Full Control permissions on the files and the subfolders in the following folder:
\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys

To resolve this issue, grant the administrator account Full Control on all files and subfolders in the MachineKeys folder. To do this, follow these steps:
1.      Click Start, click Run, type "\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\", and then click OK.
2.      Right-click MachineKeys, and then click Properties.
3.      On the Security tab, click Administrator or click the administrator group account you want, click to select the check box to enable Full Control permissions, and then click OK.

SEE: http://support.microsoft.com/kb/908572
0
 
Richard ComitoDirector of ITAuthor Commented:
After assigning the full permissions, remove the key and regenerate following the same steps and  commands as before.

Everything I did was correct.  I just didn't have the correct permissions.

0
 
jessc7Commented:
Good find!
0
 
Richard ComitoDirector of ITAuthor Commented:
People were helpful but this was an unusual situation and I ended up finding the solution by myself.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now