|
Home > Archive > IIS Server Security > May 2005 > IIS6 does not work with programmatically installed certificate
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS6 does not work with programmatically installed certificate
|
|
| Innokentiy Ivanov 2005-05-10, 6:01 pm |
| Hello!
Would you be so kind to assist us in solving the following problem. What we
need is to programmatically set up SSL certificate for IIS6. On first step
we add the certificate to Windows certificate store (MY) using CryptoAPI. On
second step we bind this certificate to IIS by its fingerprint using
DirectoryEntry class from .NET Framework.
The certificate is imported to MY store and then bound to IIS without
errors. We are able to see the imported certificate in MMC and IIS manager.
However, when we try to establish SSL connection to the server, this
connection fails. If the certificate is imported using Windows certificate
manager and then bound to IIS using IIS manager, we are able to successfully
establish SSL connection.
We downloaded and ran the SSL Diagnostics utility from Microsoft for both
cases. The only serious difference that we were able to see is that the
certificate that is imported by Windows certificate manager uses Base
cryptographic provider, while the certificate that we have manually imported
using CryptoAPI uses Strong cryptographic provider. Is that the reason? Is
IIS6 unable to use Strong cryptographic provider for SSL purposes?
Appending the complete output of SSL Diagnostics utility (some non-critical
lines are skipped).
Thank you for your assistance,
With best regards,
Innokentiy Ivanov
EldoS Corporation
------working------
[ W3SVC/219833842 ]
ServerComment = DevSSLTest
ServerAutoStart = True
ServerState = Server started
#Could not impersonate server account
SSLCertHash = f3 2c 5a 7b 92 bb f1 7e 0d dc 64 20 b7 70 fc 4c 78 95 fa dc
SSLStoreName = MY
#CertName = www.somehost.com
#You have a private key that corresponds to this certificate
#ContainerName='{63E48273-113D-4FDF-B525-477922EF44FF}'
#ProvName='Microsoft Base Cryptographic Provider v1.0'
ProvType=PROV_RSA_FULL KeySpec=AT_KEYEXCHANGE
#Subject: C=US, S=STATE, L=LOCALITY, O=SOMEORG, OU=SOMEORG.com, CN=SOMEORG
#Issuer: C=US, O=ISSUERORG, OU=ISSUERORGUNIT
#Validity: From 11/13/2003 5:00:00 PM To 11/13/2005 4:59:59 PM
SecureBindings = xxx.yyy.zzz.226:443:
System time: Tue, 10 May 2005 15:58:32 GMT
Connecting to xxx.yyy.zzz.226:443
Connected
Handshake: 78 bytes sent
Handshake: 1120 bytes received
Handshake: 182 bytes sent
Handshake: 43 bytes received
Handshake succeeded
Verifying server certificate, it might take a while...
Server certificate name: <skipped>
Server certificate subject: <skipped>
Server certificate issuer: <skipped>
Server certificate validity: From 11/13/2003 5:00:00 PM To 11/13/2005
4:59:59 PM
HTTPS request:
GET / HTTP/1.0
User-Agent: SSLDiag
Accept:*/*
HTTPS: 72 bytes of encrypted data sent
HTTPS: 367 bytes of encrypted data received
HTTP/1.1 200 OK
Content-Length: 26
Content-Type: text/html
Last-Modified: Mon, 09 May 2005 21:20:32 GMT
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 10 May 2005 15:58:32 GMT
Connection: close
test <br>
HTTPS: server disconnected
<h1>TEST</H1>
Final handshake: 23 bytes sent successfully
------working------
------not working------
[ W3SVC/219833842 ]
ServerComment = DevSSLTest
ServerAutoStart = True
ServerState = Server started
#Could not impersonate server account
SSLCertHash = f3 2c 5a 7b 92 bb f1 7e 0d dc 64 20 b7 70 fc 4c 78 95 fa dc
SSLStoreName = MY
#CertName = www.somehost.com
#You have a private key that corresponds to this certificate
#ContainerName='{d7f3dc19-1409-431d-88ec-b85e1f978e70}'
#ProvName='Microsoft Strong Cryptographic Provider' ProvType=PROV_RSA_FULL
KeySpec=AT_KEYEXCHANGE
#Subject: C=US, S=STATE, L=LOCALITY, O=SOMEORG, OU=SOMEORG.com, CN=SOMEORG
#Issuer: C=US, O=ISSUERORG, OU=ISSUERORGUNIT
#Validity: From 11/13/2003 5:00:00 PM To 11/13/2005 4:59:59 PM
SecureBindings = xxx.yyy.zzz.226:443:
System time: Tue, 10 May 2005 15:57:25 GMT
Connecting to xxx.yyy.zzz.226:443
Connected
Handshake: 78 bytes sent
#WARNING:Handshake: unspecified error receiving data
#WARNING:Handshake: 0x80090304 (-2146893052) error
------not working------
| |
| Innokentiy Ivanov 2005-05-13, 2:55 am |
| Hello!
You wrote to All on Tue, 10 May 2005 22:24:24 +0300:
Still silence...
Okay, I will try to rephrase the original question. Are there any specifics
(or pitfalls) that must be taken into account when programmatically
installing certificate to IIS? Is that enough to (a) put the certificate to
'MY' store associated with local machine, and then (b) bind the certificate
to IIS using certificate fingerprint? MSDN says yes. Experience says no ;).
Sorry if the question is not related to the topic of newsgroup. If so, does
anybody know the 'right' group for this question?
With best regards,
Innokentiy Ivanov
EldoS Corporation
|
|
|
|
|