Enabling SSL on the server with test certificate

L

Lenn

Hello,

I've been struggling with this for couple of days now. All I want to do is
to enable SSL protocol on the webserver.
I want to be able to generate and sign my own certificates. I used various
tools to do that, such as makecert.exe from .NET SDK and even downloaded
OpenSSL and generated certificates using that.
I installed my own certificates on IIS, but SSL simply wont work with any of
mine certificates. I get an error in server's event log: "SSL server
credential's certificate does not have a private key".
If anyone successfully accomplished what I am trying to do, Please respond.
Any links or suggestions? Please help!

Thank you
 
N

Nicholas Paldino [.NET/C# MVP]

Lenn,

If you are going to generate your own certificates, then I believe you
have to install the certificate on the client machine to get SSL to work.
Have you tried that?

Hope this helps.
 
L

Leon Mayne [MVP]

Lenn said:
I've been struggling with this for couple of days now. All I want to
do is to enable SSL protocol on the webserver.
I want to be able to generate and sign my own certificates. I used
various tools to do that, such as makecert.exe from .NET SDK and even
downloaded OpenSSL and generated certificates using that.
I installed my own certificates on IIS, but SSL simply wont work with
any of mine certificates. I get an error in server's event log: "SSL
server credential's certificate does not have a private key".
If anyone successfully accomplished what I am trying to do, Please
respond. Any links or suggestions? Please help!

Hello,
It sounds like you're installing the cert without creating / importing the
private key in IIS. Have you followed the CSR wizard in IIS to generate a
key pair and the CSR to either send to a CA or sign yourself? Make sure you
use the 'Create a new certificate' option in the SSL IIS wizard and you can
create a test 3 month cert from IPSCA to make sure it works OK:
http://certs.ipsca.com/
 
L

Lenn

Thank you all.

Yes, I installed certificate on the client and server, doesn't make a
difference.


Leon, Wizard in IIS offers 2 options; 1. Create Certificate request to be
processed by CA. 2. Assign excisting cert.
I chose option 2.
What I've done is 1. Generate new cert using makecert.exe, 2. Import cert to
the server Cert Personal Store through Certificate Mangment Console. 3.
Install new cert on IIS though their wizard.
Have you done this before, could you please list steps you followed.
 
L

Leon Mayne [MVP]

Lenn said:
Leon, Wizard in IIS offers 2 options; 1. Create Certificate request
to be processed by CA. 2. Assign excisting cert.
I chose option 2.
What I've done is 1. Generate new cert using makecert.exe, 2. Import
cert to the server Cert Personal Store through Certificate Mangment
Console. 3. Install new cert on IIS though their wizard.
Have you done this before, could you please list steps you followed.

I usually get IIS to create a new cert and a CSR and then send the CSR to
either a certification authority or use Microsoft Certificate Services to
sign the request and then process the cert.

See http://support.microsoft.com/kb/299525/EN-US/ for details about using
certificate services to sign your own cert, or use a CA that will sign a
test cert for you for free, such as IPSCA (as mentioned before) or Thawte:
http://www.thawte.com/ucgi/gothawte.cgi?a=w14100158767049000
 
L

Lenn

Thanks.
I usually get IIS to create a new cert and a CSR and then send the CSR to
either a certification authority or use Microsoft Certificate Services to
sign the request and then process the cert.

This links explains in details how to do the same with openSSL, so you can
be your own CA which exactly what I wanted to do.
http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html

It worked for me, now I need to figure how to programaticlly pass client
certificate to the server.
 
M

Massimo Gentilini

It worked for me, now I need to figure how to programaticlly pass client
certificate to the server.

Good luck!

We've made the same things last week and was a PITA. The final solution
(with FW 1.1) was to create a serviced component running under COM+ with
identity set because the asp.net process does not have the capability to
ready any certificate from any store.

If you use FW 2.0 it's much simpler.

If you'll be able to make it work without the serviced component please let
us know.

Regards
Massimo

PS: We were working calling a web service from an asp.net page, it's not
clear to me if you need to do this or not.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top