Re: Programmatically assign certificate on IIS server
- From: "Lognoul, Marc \(Private\)" <lognoulm@xxxxxxxxxxx>
- Date: Fri, 22 Feb 2008 17:51:20 +0100
Maybe this can help you: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/cdb11c8f-36cb-41f6-9ae3-7ba084030877.mspx?mfr=true
Marc
"Bala" <balaram_barange@xxxxxxxxxxxxxxxx> wrote in message news:OLhtQsTdIHA.3940@xxxxxxxxxxxxxxxxxxxxxxx
HI All,.
We want to programmatically assign certificate on IIS server. We are able to
assign the certificate, but the website does not work on https after the
assignment. I think we are missing some step while programmatically assigning the
certificate to IIS server?. We are doing the assignment of certificate using
the Crypto API. There are four steps in this process:
1. Creating the certificate request.
2. Creating the certificate by certificate utility using this certificate request.
3. Assign the generated certificate to IIS server.
4. Enable SSL on the IIS server for the website.
When we do these steps manually it works but when we do these
programmatically (using CAPI) then it says "The SSL server credential's
certificate does not have a private key information property".
Here are the details what we tried to accomplished this task.
1) First we were just storing the final certificate generated by certman in
the registry at Local Machine's personal store. But it displayed a
certificate saying "The issuer of this certificate could not be found."
Then so solve this, we inserted the "ca.crt" certificate in the LocalMachine's
Root location. So now when we view the certificate it says "certificate is ok".
But it still does not have the private key information, so the WebPages are
not getting displayed using SSL.
We did a lot of analysis on this issue, searched on internet, but did not
get a proper solution.
Here are some observations:
1) When the certificate is generated manually using IIS there is a field
named "Subject Key Identifier" in the Details pane of the certificate. There
is a key generated by this "Subject Key Identifier" name in the registry at
the location
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\My\\Keys having
value of the type REG_BINARY by the name Blob, which is the entry of the
private key corresponding to the certificate. This entry is not been made
when we try to add the certificate programmatically. We are currently trying
out this.
2) The System Log shows the following error while installation:
"The SSL server credential's certificate does not have a private key
information property attached to it. This most often occurs when a
certificate is backed up incorrectly and then later restored. This message
can also indicate a certificate enrollment failure."
Here is code to assigne the certificate
Dim cert As New X509Certificate2(path + "certificate.crt") ' path is path to
the cert folder.
Dim store As New X509Store("My", StoreLocation.LocalMachine)
store.Open(OpenFlags.ReadWrite)
store.Add(cert)
store.Close()
'X509Certificate2UI.DisplayCertificate(cert)
'Attach certificate to Website
If (Not (cert) Is Nothing) Then
Dim utils As Utilities = New Utilities
Dim thumbprintBytes() As Byte =
CType(utils.BinaryStringToByteArray(utils.HexToBinary(cert.Thumbprint)),
Byte())
Dim adminBaseClass As Windows.Services.Iis.Metabase.MSAdminBaseClass = New
Windows.Services.Iis.Metabase.MSAdminBaseClass
Dim metaDataPath As String = "/W3SVC/1"
adminBaseClass.SetMetabaseData(SSL_CERT_HASH_ID, metaDataPath,
thumbprintBytes)
adminBaseClass.SetMetabaseData(SSL_STORE_NAME, metaDataPath, "My")
End If
So presently we are stuck on this issue, please let us know any one has any idea on this.
Thanks and Regards,
Balaram Barange
- References:
- Prev by Date: Re: Error 403 if using SSL (https)
- Next by Date: Force HTTPS to forward to HTTP?
- Previous by thread: Programmatically assign certificate on IIS server
- Next by thread: Microsoft IIS Patch Level Security PCI loophole
- Index(es):
Relevant Pages
|
