Re: Importing CERT into Win2k for IIS
From: Ohaya (ohaya_at_NOSPAMcox.net)
Date: 12/13/03
- Next message: Wade A. Hilmo [MS]: "Re: ISAPI Authentication"
- Previous message: DavidM: "Re: Microsoft FTP Server problem on W2K?"
- In reply to: Jeff Fink: "Re: Importing CERT into Win2k for IIS"
- Next in thread: Paul Lynch: "Re: Importing CERT into Win2k for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Dec 2003 22:52:26 -0500
Jeff Fink wrote:
>
> "Ohaya" <ohaya@NOSPAMcox.net> wrote in message
> news:3FDA3C3B.D91C782A@NOSPAMcox.net...
> > Jeff,
> >
> > I'm assuming that the cert request you mentioned was generated by using
> > server certificate wizard in the IIS Manager. If that's the case, just
> > go back into the IIS Manager, right-click on website, select
> > Properties. Then click the Directory Security tab, then the Server
> > Certificate button at the bottom, and the wizard starts, browse to the
> > certificate file returned by the CA.
>
> The cert was generated on another box that no longer exists. Does the file
> that comes back from the CA contain everything I need? It looks like IIS
> generated a password that I need to recall to get it to import that way.
Hmmm...
When you say that "The cert was generated on another box..." do you mean
that the original certificate REQUEST was created on another machine
with IIS on it, and you used IIS to create the certificate REQUEST?
Or, do you mean you created the certificate request on another machine
with some other mechanism/program (for example OpenSSL)?
I'm not 100% sure, but in either case, I think that the file that comes
back from the CA doesn't normally contain 'all' that you need, as I
think that what you get back doesn't normally have the private key which
gets generated when you create the certificate REQUEST.
I think that the way that things are suppose to work is that when you
create the original certificate request, a key PAIR, consisting of a
private key and a public key, gets generated. The public key is
embedded in the certificate request which you send to the CA.
The private key normally stays on the original machine.
That's why the normal recommendation is to backup the certificate
request WITH the private key, because if the private key gets corrupted
or deleted (which I've done before :(), you still have it available.
I think that some CAs are able/willing to archive the private key for
you (I think this is called something like "key escrow"), but I'm kind
of guessing your CA didn't do that.
Anyway, if the CA doesn't have the private key, and the original machine
where the private key was on is gone, I'm pretty sure that just the
certificate that you got back from the CA won't be of use.
More specifically, I think you should still import the certificate from
your CA using MMC, but if you then display the certificate in the MS
certificate applet by double-clicking on the certificate, it won't show
the line "You have the private key that corresponds to this
certificate.".
Then, even if you use IIS Manager to assign the certificate that you
imported, SSL won't work (since the private key is missing). You can
see this if you run the SSLDiag utility from MS:
When you run SSLDiag, it'll note that the private key is missing, and
when you try to connect to the website, you'll get a (somewhat
misleading) error message like "Cannot find server or DNS".
Apologies for the longish explanation, but I'm kind of thinking as I'm
writing this :)....
Jim
- Next message: Wade A. Hilmo [MS]: "Re: ISAPI Authentication"
- Previous message: DavidM: "Re: Microsoft FTP Server problem on W2K?"
- In reply to: Jeff Fink: "Re: Importing CERT into Win2k for IIS"
- Next in thread: Paul Lynch: "Re: Importing CERT into Win2k for IIS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
