Re Programmatically assign certificate on IIS server by bib17384

VIEWS: 24 PAGES: 3

									                          Re: Programmatically assign certificate on IIS server

Re: Programmatically assign certificate on IIS
server

Source:
http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2008−03/msg00020.html



      • From: David Wang <w3.4you@xxxxxxxxx>
      • Date: Sat, 8 Mar 2008 02:20:34 −0800 (PST)

This is a frequent coding mistake. Certificates and security are not
easy.

While you may *think* you correctly installed the private certificate
and its key into the Local Machine's personal store, you actually did
not −− this is why IIS cannot use it for SSL. It has nothing to do
with the SKI, which is a metadata blob on the certificate.

When you load the private certificate with X509Certificate2, you must
have the MachineKeySet, Exportable, and PersistKeySet
X509KeyStorageFlags options set. Otherwise, when you install the
certificate it all looks like it worked, and you can retrieve the
certificate from the correct store, but IIS still cannot use it for
SSL.

Because the details are extremely picky, IIS has tools which
automatically creates and assigns self−signed certificates to enable
SSL. Look up "SelfSSL" from SSL Diagnostics 1.1:
http://www.microsoft.com/downloads/details.aspx?familyid=9bfa49bc−376b−4a54−95aa−73c9156706e7&displaylang


//David
http://w3−4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Feb 22, 2:10 am, "Bala" <balaram_bara...@xxxxxxxxxxxxxxxx> wrote:

        HI All,

        We want to programmatically assign certificate on IIS server. We are able to
        assign the certificate, but the website does not work on https after the
        assignment. I think we are missing some step while programmatically
        assigning the

Re: Programmatically assign certificate on IIS server                                                1
                          Re: Programmatically assign certificate on IIS server

       certificate to IIS server?. We are doing the assignment of certificate using
       the Crypto API. There are four steps in this process:

       1.    Creating the certificate request.

       2.     Creating the certificate by certificate utility using this
       certificate request.

       3.    Assign the generated certificate to IIS server.

       4.    Enable SSL on the IIS server for the website.

       When we do these steps manually it works but when we do these
       programmatically (using CAPI) then it says "The SSL server credential's
       certificate does not have a private key information property".

       Here are the details what we tried to accomplished this task.

       1) First we were just storing the final certificate generated by certman in
       the registry at Local Machine's personal store. But it displayed a
       certificate saying "The issuer of this certificate could not be found."
       Then so solve this, we inserted the "ca.crt" certificate in the
       LocalMachine's
       Root location. So now when we view the certificate it says "certificate is
       ok".

       But it still does not have the private key information, so the WebPages are
       not getting displayed using SSL.

       We did a lot of analysis on this issue, searched on internet, but did not
       get a proper solution.

       Here are some observations:

       1) When the certificate is generated manually using IIS there is a field
       named "Subject Key Identifier" in the Details pane of the certificate. There
       is a key generated by this "Subject Key Identifier" name in the registry at
       the location
       HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\My\\Keys having
       value of the type REG_BINARY by the name Blob, which is the entry of the
       private key corresponding to the certificate. This entry is not been made
       when we try to add the certificate programmatically. We are currently trying
       out this.

       2) The System Log shows the following error while installation:
       "The SSL server credential's certificate does not have a private key
       information property attached to it. This most often occurs when a
       certificate is backed up incorrectly and then later restored. This message
       can also indicate a certificate enrollment failure."

       Here is code to assigne the certificate

Re: Programmatically assign certificate on IIS server                                 2
                         Re: Programmatically assign certificate on IIS server


       Dim cert As New X509Certificate2(path + "certificate.crt") ' path is path to
       the cert folder.

       Dim store As New X509Store("My", StoreLocation.LocalMachine)

       store.Open(OpenFlags.ReadWrite)

       store.Add(cert)

       store.Close()

       'X509Certificate2UI.DisplayCertificate(cert)

       'Attach certificate to Website

       If (Not (cert) Is Nothing) Then

       Dim utils As Utilities = New Utilities

       Dim thumbprintBytes() As Byte =
       CType(utils.BinaryStringToByteArray(utils.HexToBinary(cert.Thumbprint)),
       Byte())

       Dim adminBaseClass As Windows.Services.Iis.Metabase.MSAdminBaseClass = New
       Windows.Services.Iis.Metabase.MSAdminBaseClass

       Dim metaDataPath As String = "/W3SVC/1"

       adminBaseClass.SetMetabaseData(SSL_CERT_HASH_ID, metaDataPath,
       thumbprintBytes)

       adminBaseClass.SetMetabaseData(SSL_STORE_NAME, metaDataPath, "My")

       End If

       So presently we are stuck on this issue, please let us know any one has any
       idea on this.

       Thanks and Regards,

       Balaram Barange


.




Re: Programmatically assign certificate on IIS server                                 3

								
To top