|
Home > Archive > IIS Server Security > April 2005 > SelfSSL Utility - Not working?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
SelfSSL Utility - Not working?
|
|
|
| I just downloaded the SelfSSL for the IIS 6.0 resource kit and ran the
following command line: selfssl.exe /NCN=MySSL /K:1024 /Vv:7 /S:1 /P:443
I got a message that it was successful however when I go in to "Directory
Security" for my in IIS, the "View Certificate" is grayed out. I also get a
page not found when I try to hit my website using https:// with my IP address
since we have not change the DNS yet.
I am setting this up to A). Test to see if it works and B). We are migrating
our server and do not want to transfer our current certificate to the new
server until DNS has finished propagating. The thought here is some users
will hit one server while others will hit the new one allowing for secure
transactions on both severs simultaneously and eliminate down time .
So I would like to know how I can verify the SelfSSL installed correctly and
works. or if there is another method I should be using for this migration,
Thanks - Jody
| |
| Jason Brown [MSFT] 2005-04-19, 8:47 pm |
| Is that the EXACT command line you used? because there's an error or two
yours:
selfssl.exe /NCN=MySSL /K:1024 /Vv:7 /S:1 /P:443
mine:
selfssl.exe /N:CN=MySSL /K:1024 /V:7 /S:1 /P:443
--
Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
"Jody" <Jody@discussions.microsoft.com> wrote in message
news:997F91AA-2249-4054-8844-1E83411BBFE6@microsoft.com...
>I just downloaded the SelfSSL for the IIS 6.0 resource kit and ran the
> following command line: selfssl.exe /NCN=MySSL /K:1024 /Vv:7 /S:1 /P:443
>
> I got a message that it was successful however when I go in to "Directory
> Security" for my in IIS, the "View Certificate" is grayed out. I also get
> a
> page not found when I try to hit my website using https:// with my IP
> address
> since we have not change the DNS yet.
>
> I am setting this up to A). Test to see if it works and B). We are
> migrating
> our server and do not want to transfer our current certificate to the new
> server until DNS has finished propagating. The thought here is some users
> will hit one server while others will hit the new one allowing for secure
> transactions on both severs simultaneously and eliminate down time .
>
> So I would like to know how I can verify the SelfSSL installed correctly
> and
> works. or if there is another method I should be using for this migration,
>
> Thanks - Jody
| |
|
| Sorry! Fluent in typo ;-o. I used your syntax.
"Jason Brown [MSFT]" wrote:
> Is that the EXACT command line you used? because there's an error or two
>
> yours:
> selfssl.exe /NCN=MySSL /K:1024 /Vv:7 /S:1 /P:443
> mine:
> selfssl.exe /N:CN=MySSL /K:1024 /V:7 /S:1 /P:443
>
>
>
> --
> Jason Brown
> Microsoft GTSC, IIS
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> "Jody" <Jody@discussions.microsoft.com> wrote in message
> news:997F91AA-2249-4054-8844-1E83411BBFE6@microsoft.com...
>
>
>
| |
| Jason Brown [MSFT] 2005-04-19, 8:47 pm |
| OK, so you did enter a correct command, fair enough. what about if you run
it in default state?
just
selfssl.exe
?
it should use the netbios name of the machine as the cn, as well as 1024
length, site 1, port 443
--
Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
"Jody" <Jody@discussions.microsoft.com> wrote in message
news:8CE5B722-789D-4199-92A4-14E55B0D7546@microsoft.com...[vbcol=seagreen]
> Sorry! Fluent in typo ;-o. I used your syntax.
>
> "Jason Brown [MSFT]" wrote:
>
| |
| David Wang [Msft] 2005-04-21, 2:49 am |
| SelfSSL is not going to work for your particular scenario.
It is going to generate a self-signed certificate that is not trusted by any
client, meaning that your users will see warning dialogs popup. This is
by-design of how SSL works -- no way around it. SelfSSL is best used for
testing purposes as well as when you control both client and server to get
free SSL. It is not suitable for any other sort of usage because browsers
will all pop up a warning dialog.
I suggest you use the same SSL certificate on both servers simultaneously
during the DNS migration. Your old and new servers both have the same name
and everything (so that they can continue to use the same SSL certificate --
else browsers will popup warning dialogs), so it is purely a matter of DNS
that determines which one responds.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Jody" <Jody@discussions.microsoft.com> wrote in message
news:997F91AA-2249-4054-8844-1E83411BBFE6@microsoft.com...
I just downloaded the SelfSSL for the IIS 6.0 resource kit and ran the
following command line: selfssl.exe /NCN=MySSL /K:1024 /Vv:7 /S:1 /P:443
I got a message that it was successful however when I go in to "Directory
Security" for my in IIS, the "View Certificate" is grayed out. I also get a
page not found when I try to hit my website using https:// with my IP
address
since we have not change the DNS yet.
I am setting this up to A). Test to see if it works and B). We are migrating
our server and do not want to transfer our current certificate to the new
server until DNS has finished propagating. The thought here is some users
will hit one server while others will hit the new one allowing for secure
transactions on both severs simultaneously and eliminate down time .
So I would like to know how I can verify the SelfSSL installed correctly and
works. or if there is another method I should be using for this migration,
Thanks - Jody
| |
| Jason Brown [MSFT] 2005-04-21, 2:49 am |
| Just to wade in with an opinion - it won't work for the purposes of
verifying the webiste is owned by blahblahblah.com, however if you intention
is just to encrypt the traffic over the wire, it'll still work. the OP
mentioned it's just for a transitional period. Sure, the dialog will show
up, but this isn't a big deal in testing/interim/controllable environments.
This doesn't equate to "not going to work". Semantics, perhaps, but there
you go.
"David Wang [Msft]" <someone@online.microsoft.com> wrote in message
news:eEd264jRFHA.244@TK2MSFTNGP12.phx.gbl...
> SelfSSL is not going to work for your particular scenario.
>
> It is going to generate a self-signed certificate that is not trusted by
> any
> client, meaning that your users will see warning dialogs popup. This is
> by-design of how SSL works -- no way around it. SelfSSL is best used for
> testing purposes as well as when you control both client and server to get
> free SSL. It is not suitable for any other sort of usage because browsers
> will all pop up a warning dialog.
>
> I suggest you use the same SSL certificate on both servers simultaneously
> during the DNS migration. Your old and new servers both have the same name
> and everything (so that they can continue to use the same SSL
> certificate --
> else browsers will popup warning dialogs), so it is purely a matter of DNS
> that determines which one responds.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> //
> "Jody" <Jody@discussions.microsoft.com> wrote in message
> news:997F91AA-2249-4054-8844-1E83411BBFE6@microsoft.com...
> I just downloaded the SelfSSL for the IIS 6.0 resource kit and ran the
> following command line: selfssl.exe /NCN=MySSL /K:1024 /Vv:7 /S:1 /P:443
>
> I got a message that it was successful however when I go in to "Directory
> Security" for my in IIS, the "View Certificate" is grayed out. I also get
> a
> page not found when I try to hit my website using https:// with my IP
> address
> since we have not change the DNS yet.
>
> I am setting this up to A). Test to see if it works and B). We are
> migrating
> our server and do not want to transfer our current certificate to the new
> server until DNS has finished propagating. The thought here is some users
> will hit one server while others will hit the new one allowing for secure
> transactions on both severs simultaneously and eliminate down time .
>
> So I would like to know how I can verify the SelfSSL installed correctly
> and
> works. or if there is another method I should be using for this migration,
>
> Thanks - Jody
>
>
| |
|
| David - This is what we ended up doing and it worked fine. Thanks everyone
for your input. I learned a lot. - Jody
"David Wang [Msft]" wrote:
> SelfSSL is not going to work for your particular scenario.
>
> It is going to generate a self-signed certificate that is not trusted by any
> client, meaning that your users will see warning dialogs popup. This is
> by-design of how SSL works -- no way around it. SelfSSL is best used for
> testing purposes as well as when you control both client and server to get
> free SSL. It is not suitable for any other sort of usage because browsers
> will all pop up a warning dialog.
>
> I suggest you use the same SSL certificate on both servers simultaneously
> during the DNS migration. Your old and new servers both have the same name
> and everything (so that they can continue to use the same SSL certificate --
> else browsers will popup warning dialogs), so it is purely a matter of DNS
> that determines which one responds.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
> "Jody" <Jody@discussions.microsoft.com> wrote in message
> news:997F91AA-2249-4054-8844-1E83411BBFE6@microsoft.com...
> I just downloaded the SelfSSL for the IIS 6.0 resource kit and ran the
> following command line: selfssl.exe /NCN=MySSL /K:1024 /Vv:7 /S:1 /P:443
>
> I got a message that it was successful however when I go in to "Directory
> Security" for my in IIS, the "View Certificate" is grayed out. I also get a
> page not found when I try to hit my website using https:// with my IP
> address
> since we have not change the DNS yet.
>
> I am setting this up to A). Test to see if it works and B). We are migrating
> our server and do not want to transfer our current certificate to the new
> server until DNS has finished propagating. The thought here is some users
> will hit one server while others will hit the new one allowing for secure
> transactions on both severs simultaneously and eliminate down time .
>
> So I would like to know how I can verify the SelfSSL installed correctly and
> works. or if there is another method I should be using for this migration,
>
> Thanks - Jody
>
>
>
|
|
|
|
|