Re: Programmatically assign certificate on IIS server

This is a frequent coding mistake. Certificates and security are not
easy.

While you may *think* you correctly installed the private certificate
and its key into the Local Machine's personal store, you actually did
not -- this is why IIS cannot use it for SSL. It has nothing to do
with the SKI, which is a metadata blob on the certificate.

When you load the private certificate with X509Certificate2, you must
have the MachineKeySet, Exportable, and PersistKeySet
X509KeyStorageFlags options set. Otherwise, when you install the
certificate it all looks like it worked, and you can retrieve the
certificate from the correct store, but IIS still cannot use it for
SSL.

Because the details are extremely picky, IIS has tools which
automatically creates and assigns self-signed certificates to enable
SSL. Look up "SelfSSL" from SSL Diagnostics 1.1:
http://www.microsoft.com/downloads/details.aspx?familyid=9bfa49bc-376b-4a54-95aa-73c9156706e7&displaylang=en


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Feb 22, 2:10 am, "Bala" <balaram_bara...@xxxxxxxxxxxxxxxx> wrote:
HI All,

We want to programmatically assign certificate on IIS server. We are able to
assign the certificate, but the website does not work on https after the
assignment. I think we are missing some step while programmatically
assigning the
certificate to IIS server?. We are doing the assignment of certificate using
the Crypto API. There are four steps in this process:

1.      Creating the certificate request.

2.      Creating the certificate by certificate utility using this
certificate request.

3.      Assign the generated certificate to IIS server.

4.      Enable SSL on the IIS server for the website.

When we do these steps manually it works but when we do these
programmatically (using CAPI) then it says "The SSL server credential's
certificate does not have a private key information property".

Here are the details what we tried to accomplished this task.

1) First we were just storing the final certificate generated by certman in
the registry at Local Machine's personal store. But it displayed a
certificate saying "The issuer of this certificate could not be found."
Then so solve this, we inserted the "ca.crt" certificate in the
LocalMachine's
Root location. So now when we view the certificate it says "certificate is
ok".

But it still does not have the private key information, so the WebPages are
not getting displayed using SSL.

We did a lot of analysis on this issue, searched on internet, but did not
get a proper solution.

Here are some observations:

1) When the certificate is generated manually using IIS there is a field
named "Subject Key Identifier" in the Details pane of the certificate. There
is a key generated by this "Subject Key Identifier" name in the registry at
the location
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\My\\Keys having
value of the type REG_BINARY by the name Blob, which is the entry of the
private key corresponding to the certificate. This entry is not been made
when we try to add the certificate programmatically. We are currently trying
out this.

2) The System Log shows the following error while installation:
"The SSL server credential's certificate does not have a private key
information property attached to it. This most often occurs when a
certificate is backed up incorrectly and then later restored. This message
can also indicate a certificate enrollment failure."

Here is code to assigne the certificate

Dim cert As New X509Certificate2(path + "certificate.crt") ' path is path to
the cert folder.

Dim store As New X509Store("My", StoreLocation.LocalMachine)

store.Open(OpenFlags.ReadWrite)

store.Add(cert)

store.Close()

'X509Certificate2UI.DisplayCertificate(cert)

'Attach certificate to Website

If (Not (cert) Is Nothing) Then

Dim utils As Utilities = New Utilities

Dim thumbprintBytes() As Byte =
CType(utils.BinaryStringToByteArray(utils.HexToBinary(cert.Thumbprint)),
Byte())

Dim adminBaseClass As Windows.Services.Iis.Metabase.MSAdminBaseClass = New
Windows.Services.Iis.Metabase.MSAdminBaseClass

Dim metaDataPath As String = "/W3SVC/1"

adminBaseClass.SetMetabaseData(SSL_CERT_HASH_ID, metaDataPath,
thumbprintBytes)

adminBaseClass.SetMetabaseData(SSL_STORE_NAME, metaDataPath, "My")

End If

So presently we are stuck on this issue, please let us know any one has any
idea on this.

Thanks and Regards,

Balaram Barange

.

Relevant Pages

  • Re: Cant get SSL to work locally
    ... SelfSSL just lowers the bar to enabling SSL on IIS (many people mistake ... needing Certificate Server or is just not possible "for free" with IIS). ... does not attempt to address the issue of trust. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Problem processing SSL certificate response.
    ... "Download SSL Diagnostics 1.1 from Microsoft.com and use it to diagnose ... Note that I am able to work around this by requesting/processing a request ... transfering the generated PFX into the certificate store on the IIS machine. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Switching from http to https
    ... the default website with SSL not enabled (using port 443) in the IIS. ... a certificate to the program. ...
    (microsoft.public.inetserver.iis.security)
  • RE: netsh error - 1312
    ... I can issue a cert from the certsrv and make it work but ONLY if I log in as ... "there is no particular SSL certificate that can only be used ... IIS wizard provide a very convenient GUI for us to generate request. ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: Cant create web applications
    ... I've managed to re create an autosigned certificate and assigned it to the web application from the IIS 7 manager (it was already created with SSL and has the link with https, I just modified the link to add the cert.), but when I try to access the site, after the certificate warning, I receive a 403-Forbidden error. ...
    (microsoft.public.sharepoint.windowsservices)