DrIIS

Help on Microsoft IIS and SSL

written by Miguel Angel Fraga

(Under Construction)


How to generate a CSR (RSA 1024 bits) using NON domestic IIS 4

How to install your CA root certificate into IIS

MS KeyManager says the signed certificate is invalid.
"The certificate file is not valid  Invalid password"   or CAPI error 80093004.

How to install a SGC certificate (Server Gated Cryptography)

I generated a key and certificate request with OpenSSL / SSLeay and got a certificate from Verisign.  After trying everything to get IIS so take it,  I found out that for some reason keys need to be generated in IIS for it to use them.  Anyone know otherwise?
How to get client certificate with IIS 4.0 using ASP (How to write a Client Authentication Certificate to a file)

 

 

 

How to generate a CSR (RSA 1024 bits) using NON domestic IIS 4

If you are using SP3 (Service Pack 3) you need a special schannel.dll, do you need it? download schannel.dll post SP3 here.

If you are using SP4 or SP5 you don't need any special stuff.

The basic steps (for both SP3, SP4 or SP5) are:


Run RegEdit.exe

Open (click on the + next to) HKEY_LOCAL_MACHINE, the go to the following subkey:

System\CurrentControlSet\Control\SecurityProviders

Select SCHANNEL.

On the Edit menu, select New, then choose DWord Value. A new value appears in the right-hand pane.

If necessary, right click on the new item and choose Rename from the context menu.

Type EnableSGC and press ENTER.

Right click on EnableSGC and choose Modify. The Edit DWord Value dialog appears.

Type 1 (one) and click OK.

Click Registry, then Exit to end the Registry Editor.

This change will take effect when you next start Windows NT.

Now you can generate CSRs from  512 bits to 1024 bits length.


 

How to install your CA root certificate into IIS

you have incorporated your CA root certificate into MSIE but your IIS can't see the certificate...  that's because IIS (w/ SP3) doesn't use CryptoAPI.

Solutions

using SP3:

If you want that IIS4 server recognize your CA root cert, you have to

1. install your CA Cert into MSIE 4 in the same machine where you run IIS,

2. run %SystemRoot%\system32\inetsrv\iisca.exe and then restart the NT machine (this change will take effect when you next start Windows NT).


using SP4 or SP5:

IIS stores trusted roots in the local machine 'Trusted Root Certification Authorities' certificates store.

1. Open Internet Explorer 4.

2. Browse to the root certifying authority certificate that you want to add.

3. Select Open this file from its current location, and then click OK.

4. Click Install certificate.

5. After the Certificate Manager Import wizard has started, click Next.

6. Select Place all certificates into the following store.

7. Click Browse, and then click Show physical stores.

8. Expand Trusted Root Certification Authorities, select Local Computer, and then click OK.

9. Click Next, and then click Finish.

10. This change will take effect when you next start Windows NT.

 

 

MS KeyManager says the signed certificate is invalid or CAPI error 80093004.

Remove the complete "text" above the pem-encoded certificate, I mean remove the text from the top to
-----BEGIN CERTIFICATE-------

Edit the certificate using a text editor to keep the data between
-----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
(keep these separators too).

 

 

How to install a SGC certificate (Server Gated Cryptography)

In order to install your SGC certificate you need to install the whole certificates chain in your IIS.

Sometimes you see that your IIS does 40-bit SSL okay but not 128-bit SSL, the usual reason is that the intermediate Verisign SGC certificate is not being sent to the client (the leaf certificate is being sent, though). When this happens the client will refuse to initiate the SGC renegotiation. The fix is to rerun the sgcinst.exe program on your server, or to manually place the intermediate SGC certificate in the Local Machine "Intermediate Certificates" store using Certificate Manager (shipped with SP4 or higher).
Download sgcinst.exe (post SP3) here, execute sgcschannel.exe and just extract the sgcinst.exe file.

USAGE:   sgcinst.exe    inputfile   outputfile


    inputfile - certificate chain file
    outputfile - certificate for IIS,
                    install this certificate using Key Manager

To confirm that there is no problem, you can look in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
       \SecurityProviders\SCHANNEL\CertificationAuthorities\

and see if there is a Verisign Certificate there. It should have an entry for:

VeriSign Trust Network, "VeriSign, Inc.", VeriSign International
Server CA - Class 3, www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign

 

I generated a key and certificate request with OpenSSL / SSLeay and got a certificate from Verisign. After trying everything to get IIS so take it, I found out that for some reason keys need to be generated in IIS for it to use them.  Anyone know otherwise?

You have to convert the server's private key to NET format before you install the Verisign certificate.

If you have created the IIS's private key and certificate request using commands like these:

     openssl genrsa -des3 -out iis.key   ...
     openssl req -new -key iis.key -out  ...

then you could convert the IIS's private key to NET format, do:

    openssl  rsa  -in iis.key  -outform NET   -out iis.net

Now you have your IIS key (file: iis.net) and the Verisign certificate.

To import key pairs generated with tools other than Key Manager choose:
Import key from Key Set Files.

I have checked it on IIS 3 and IIS 4.

 



How to get client certificate with IIS 4.0 using ASP (How to write a Client Authentication Certificate to a file)

The following ASP code is needed for this to work:

<% @Language = VBScript %>
<% Response.Buffer = True %>

<% 
'  Session.LCID = 1033   'Regional setting [Chinese]

'Instantiate the ASP FileSystemObject in order
'to create a text file
Set fs = Server.CreateObject("Scripting.FileSystemObject")

'Create text file using append mode
Set outStream = fs.OpenTextFile( "C:\cert.txt", 8, True )

'Save certificate issuer information to text file
outStream.WriteLine( "# Issuer: " & Request.ClientCertificate("Issuer") )

'Extract certificate subject (user) and account information from certificate
su = Request.ClientCertificate( "Subject" )
mx = len(su)
for x = 1 to mx
     if mid(su,x,1)=chr(10) or mid(su,x,1)=chr(13) then
          su=left(su,x-1)+";"+right(su,mx-x)
     end if
next
            
outStream.WriteLine( "# Subject: " & su )
outStream.WriteLine( "# Account: " & _
                                Request.ServerVariables ("REMOTE_USER") )

'Extract encrypted certificate text from certificate; encode text
'as 64-bit data 
uue = vbNullString & _
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" & _
"0123456789+/"

outStream.WriteLine( "-----BEGIN CERTIFICATE-----" )
cer = Request.ClientCertificate( "Certificate" )
lcer = len(cer)
l = 0

for x = 1 to lcer step 3
   a1 = asc(mid(cer,x,1))
   if x+1 <= lcer then
      a2 = asc(mid(cer,x+1,1))
      if x+2 <=lcer then
         a3 = asc(mid(cer,x+2,1))
      else
         a3 = 0
      end if
   else
      a2 = 0
      a3 = 0
   end if

   outStream.Write mid(uue, (a1 and 252)/4 +1 ,1)
   outStream.Write mid(uue, (a1 and 3)*16 + (a2 and 240)/16 +1 ,1)
   if x+1 <= lcer then
      outStream.Write mid(uue, (a2 and 15)*4 + (a3 and 192)/64 +1 ,1)
      if x+2 <= lcer then
         outStream.Write mid(uue, (a3 and 63) +1 ,1)
      else
         outStream.Write "="
      end if
   else
      outStream.Write "=="
   end if
   
   l = l +4
   if l = 64 then
      outStream.WriteLine("")
      l = 0
   end if
next

if l > 0 then
   outStream.WriteLine( "" )
end if

outStream.WriteLine( "-----END CERTIFICATE-----" )

%>
//////////////////////////////////////////////

 

 


                                         Back to Top