Re: Backup "pending request"?

From: Mark (mark_at_ReMoVeThIsBiTmossywell.com)
Date: 09/26/03


Date: Thu, 25 Sep 2003 23:34:42 +0100


"Bernard" <qbernard@hotmail.com> wrote in message
news:ODz3P5ygDHA.2408@TK2MSFTNGP09.phx.gbl...
> 1) I don't think you can backup 'pending request'
> what you read is valid, you can import it in cert mmc
> and assign in IIS MMC.
>
> 2) I think you meant 'exportable private keys', PK is
> available on your Certsvr. Now, I believe you had
> read all the import/export kb, so do a test again.
>
> a) remove all cert in your cert store (local computer)
> b) apply a new one, via normal IIS MMC - pending request
> c) download the cert. and process the pending
> d) test - your https
> e) go to cert mmc - export to pfx - expor the privatekey.
> f) open IIS MMC, remote the cert, do the same
> in cert mmc.
> g) reopen cert mmc. import the pfx..... then go to
> IIS MMC assign it.
> h) retest your https

Yes, you're right: I did mean exportable private key. (Too much late-night
posting!) I don't think I asked the question very well because what you
describe works perfectly well. What I was saying was that, ignoring IIS, if
you import a cert fresh from a CA into the cert store, you can't then export
the private key. In hindsight, this should have been obvious to me because
the request and response from the CA only contain the public key, not the
private key. I hadn't quite appreciated that the generation of a request in
itself creates the key pair. (The reason it wasn't obvious to me was because
it wasn't showing up in the key store for about a minute and I was too
impatient to wait so I assumed it wasn't there!) Now that I know how to back
up a private key _before_ I've even submitted the request to the CA, I
should be able to "recombine" (?) the private and public keys once the
public key comes back from the CA. I see that IIS MMC does this for me.
However, if I'm doing this on another server (e.g. after a server disaster),
even though I can import the private key and the public key, I've no idea
how to get them to be usable by IIS? (As I mentioned, IIS will allow the use
of a public key on its own, but without a matching private key, the SSL
session fails.)

Hope this makes sense!

Cheers
Mark

>
> now, you shouldn't face any problem from these
> steps, if yes, tell us the error msg and what you
> have done.
>
>
> --
> Regards,
> Bernard Cheah
> http://support.microsoft.com/
> Please respond to newsgroups only ...
>
>
>
> "Mark" <mark@ReMoVeThIsBiTmossywell.com> wrote in message
> news:3f720bfb$0$247$cc9e4d1f@news.dial.pipex.com...
> > Apologies for the long posting. :-)
> >
> > I'm about to apply for a certificate for an IIS server. Whilst the CA is
> > cranking out the certificate, I'm having a play with a test certificate
> > using the _same_ web site by creating my own CA on MS Cert Authority. I
> > notice that in IIS I can only have one pending request at any time per
> site
> > in IIS. As a test, I've tried deleting a pending request, creating a new
> one
> > and importing the certificate from the _original_ pending request. IIS
> > doesn't like this and correctly tells me that the cert that I'm trying
to
> > import doesn't match the request.
> >
> > So, question 1: how to backup a pending request, so that I can restore
the
> > original request and import the certificate from the original request
when
> > I've finished playing witrh test certificates?
> >
> > I've read that this shouldn't actually be a problem because I'll get a
> > certificate and exportable public key. Apparently, I can import this
using
> > the certficate MMC snap-in and, if I wish, export it from there again.
> Once
> > imported, I can then assign the cert to IIS without having to worry
about
> > creating certificate requests. Superficially this would appear to answer
> my
> > first question. But... when I tried this as a test using the MS CA, I
ran
> > into a problem: It would appear that although the certificates created
by
> my
> > test CA can be imported into the Certficates MMC, and indeed can be
> > configured in IIS, they don't actally work! When pointing IE to HTTPS, I
> get
> > a schannel event log error saying "The SSL server credential's
certificate
> > does not have a private key information property attached to it". I
> checked
> > this by trying to re-export the certificate to a PKF and the PKF option
is
> > greyed out. Ah ha, thinks I! The certificate produced by the MS CA
either
> > doen't have a public key or is not exportable (both sound a bit odd to
> me!).
> >
> > So question 2: how do I ensure that certs produced by my test CA have
> > exportable public keys? (In the whole certificate production chain,
there
> > doesn't seem to be a single option to ensure exportability, but all the
> > documentation on the web says "make sure the certificate is
exportable".)
> >
> > Many thanks
> > Mark
> >
> >
> >
>
>



Relevant Pages

  • Re: Backup "pending request"?
    ... > and assign in IIS MMC. ... > a) remove all cert in your cert store ... the request and response from the CA only contain the public key, ...
    (microsoft.public.inetserver.iis.security)
  • Re: Is Get-ExchangeCertificate supposed to show newly imported cer
    ... I dont think you need to use Powershell to generate a cert request. ... IIS to make the request and then upload the request to the cert provider then ... Exchange 2007 and it the cert works great for autodiscovery and OWA. ...
    (microsoft.public.exchange.admin)
  • Standalone CA and IIS
    ... IIS properties page. ... Once you've submitted the request, ... the "check for pending cert" path. ... IIS and standalone CA are installed ...
    (microsoft.public.win2000.security)
  • Hardware SSL (BIG-IP) / IIS Detection
    ... We run BIG-IP from F5 Networks for traffic management and install our SSL ... Is there a way to setup this environment so that IIS knows that the ... incoming request was actually decrypted by the BIP-IP? ... normally when a cert is installed on IIS? ...
    (microsoft.public.inetserver.iis.security)
  • CERT Advisory CA-2001-19
    ... Subject: CERT Advisory CA-2001-19 ... Buffer Overflow In IIS Indexing Service DLL. ... IP addresses on port 80/TCP looking for other hosts to infect. ... Additional detailed analysis of this worm has been published by eEye ...
    (Cert)