Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL certificate requirements

11 views
Skip to first unread message

Michel Gallant

unread,
Aug 26, 2003, 11:39:34 PM8/26/03
to
Does anyone know what the certificate requirements are for
use with IIS 5 /SSL?
For example, if I use makecert.exe to generate a *test* SSL
certificate, what are the minimun requirements for it to work
properly?

I have tried 1024 bit RSA AT_SIGNATURE and these 2 EKUs:

Server Authentication(1.3.6.1.5.5.7.3.1)
Client Authentication(1.3.6.1.5.5.7.3.2)

but this does not seem to allow the SSL handshake to work; i.e.
https://localhost
fails
The IIS SSL security settings are enabled.

Suggestions?
- Mitch


David Cross [MS]

unread,
Aug 26, 2003, 11:49:06 PM8/26/03
to
The cert must chain to a trusted root CA certificate on the system which is
likely the problem.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"Michel Gallant" <neu...@istar.ca> wrote in message
news:u28ufzEb...@TK2MSFTNGP12.phx.gbl...

Michel Gallant

unread,
Aug 26, 2003, 11:56:26 PM8/26/03
to
I installed the public certificate into the Trusted root CA for
localmachine, so that is evidently not the problem.
(When I view the SSL cert, it shows the cert is trusted this way).
- Mitch

"David Cross [MS]" <dcr...@online.microsoft.com> wrote in message
news:eRMgx4Eb...@TK2MSFTNGP12.phx.gbl...

Scott Anderson

unread,
Aug 27, 2003, 11:11:22 AM8/27/03
to
I had the same problem, try this link.

http://www.inventec.ch/chdh/notes/14.htm

>.
>

Vishal Agarwal[MSFT]

unread,
Aug 27, 2003, 12:06:02 PM8/27/03
to
It should be AT_EXCHANGE and not AT_SIGNATURE and preferably the provider
should be RSA SChannel.

Thanks,
Vishal[MSFT]

--
This posting is provided "AS IS" with no warranties, and confers no rights

"Michel Gallant" <neu...@istar.ca> wrote in message
news:u28ufzEb...@TK2MSFTNGP12.phx.gbl...

Vishal Mishra [MS]

unread,
Aug 27, 2003, 2:39:24 PM8/27/03
to
(I have answered this before..:) )
When using makecert:
- Use PROV_RSA_SCHANNEL (or PROV_DH_SCHANNEL CSP) when you enroll
for a server certificate. Please specify the SChannel CSP with the
switch -sy 12.
The -sy switch specifies the CSP type, (12 for RSA Schannel and 18 for DH
Schannel)

- In your case the problem though is "AT_SIGNATURE" though. It must be of
type "AT_SIGNATURE"

- The Server Auth OID looks fine.

--
Vishal Mishra [MSFT]
This posting is provided "AS IS" with no warranties and confers no rights.
Use of any included samples is subject to the terms specified at
http://www.microsoft.com/info/copyright.htm"
-------------------------------------------------------------------------

"Michel Gallant" <neu...@istar.ca> wrote in message
news:u28ufzEb...@TK2MSFTNGP12.phx.gbl...

Michel Gallant

unread,
Aug 27, 2003, 3:05:06 PM8/27/03
to
OK, thanks for all comments on this. I have it working properly.

For others benefit, here is what I did:

Win2000 sp4 Fully Patched as of 8/27/2003; makecert.exe v. 5.131.3639.0 IIS5
Working as PowerUser, execute the following key/cert generation:

------- Create SSL test certificate (execute as single line) ----------
makecert -sk "ssldemo" -pe -r -e "11/11/2006" -sky Exchange
-sy 12 -sp "Microsoft RSA SChannel Cryptographic Provider"
-n "CN=localhost,OU=blahhh,O=dev"
-ss MY -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2

which generates a self-signed (-r) certificate with exportable (-pe) private key.
Generates an AT_KEYEXCHANGE 1024 bit keypair in keycontainer "ssldemo".
The keypair uses the RSA SCHANNEL provider type (-sy 12) and associated provider (-sp ..)
The SubjectName is assigned Common Name "localhost" for local web-test purposes.
The certificate is generated in the current user MY store.
The ExtendedKeyUsages are specified:
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
-----------------------------------------------------------------------

The certificate is then exported with private key by Certs Snapin (or IE/Certs dialogs)
into a password protected .pfx file for safe archiving off site.
Remove cert/key from CU | MY store.

Log back in as administrator, and import the .pfx into the Machine | MY cert store.
Since the cert is self-signed and therefore the issuer (self) is not trusted, also
import the public cert therein into Trusted Roots store.

Use procedure for importing existing certificate (in Machine | MY store) for
use in SSL 5 as described at:
"Assigning an Existing Server Certificate to a Web Site in IIS 5.0"
http://support.microsoft.com/?id=232177
i.e. configure SSL in
Default Web Site | Properties | Directory Security | Edit
to require SSL usage and optionally client certificates.

Related useful SSL/IIS configuration info:
"HOW TO: Install Imported Certificates on a Web Server in Windows 2000"
http://support.microsoft.com/?id=310178

"HOW TO: Secure an ASP.NET Application Using Client-Side Certificates"
http://support.microsoft.com/default.aspx?scid=kb;en-us;315588

- Michel Gallant
MVP Security

"Vishal Mishra [MS]" <vish...@online.microsoft.com> wrote in message
news:OQDuKqMb...@TK2MSFTNGP12.phx.gbl...

0 new messages