Using IIS 7.0 i wasn't allowed to add the certificate.
But i havn't an explicit message.
Although the certificate has been imported correctly, it doesn't appear inside the selectable list,
look at this screen.
This sound a little strange also becouse if i switch to another panel and back to server certificate, the certificate imported disappear from the GUI and i've to import it again and again... All this behaviours happens without any explanation message. This
seems a bug. Even if i import that server certificate, it seems iis discards it :*(
If i try with a self signed certificate it doesn't disappear from GUI and i'm able to bind it correctly.
It seems to me that only specific types of certificates show up in the IIS 7 Manager. I think I noticed it was certificates imported with a password along with their private key?
So, if you are not seeing your certificate, perhaps it is the certificate type. You should still see it in the MMC for the certificate store though.
RootTrustedCA.cer is installed inside Trusted Root Certificate Authorities store.
Server.cer is installed inside Personal store.
In that screen i had imported Server.cer.
In case it helps.
Anyway, if there is a problem it should be coupled with an error message, not with strange behaviours like screen disappearing, no errors, no warning and a lot of development time lost.
Otherwise this is a bug, that's why it hasn't been classified as an error.
I'm importing a certificate and iis is just wiping it from the GUI, why? what is happening behind there? This is really sad...
It seems to me that only specific types of certificates show up in the IIS 7 Manager. I think I noticed it was certificates imported with a password along with their private key?
So, if you are not seeing your certificate, perhaps it is the certificate type. You should still see it in the MMC for the certificate store though.
IIS 7.0 asked me a password during certificate import. I imagine it's the private key password. That's the only password i gave during creation. Anyway if a give an correct or incorrect password, the certificate is imported seamlessly and then it disappear
again without any warning message.
Which type of certificate should i create to let it fit inside IIS 7.0? I didn't find any documentation about it.
I'm not a makecert expert. I tested your 2nd command without the rootCA stuff, it created the server.cer without private key. I import it via IIS MMC - and you are right - it will disappear....... why ? not sure maybe IIS is smart enough to know that this
cer doesn't has private key, or at least from the Local computer/personal store, where IIS reads the cert list.
And becoz of that, the binding page will not shows it. However, if you go to cert MMC, the server.cer is still in the personal store.
Lastly, I do a google found this page -
http://www.inventec.ch/chdh/notes/14.htm
I ran the command syntax and I got the cert installed in the personal store with private keys, etc.
So, not sure if this is UI bug, it could be IIS is smart enough to know that the cert is not applicable for Server SSL usage.
I'm not a makecert expert. I tested your 2nd command without the rootCA stuff, it created the server.cer without private key. I import it via IIS MMC - and you are right - it will disappear....... why ? not sure maybe IIS is smart enough to know that this
cer doesn't has private key, or at least from the Local computer/personal store, where IIS reads the cert list.
And becoz of that, the binding page will not shows it. However, if you go to cert MMC, the server.cer is still in the personal store.
Lastly, I do a google found this page -
http://www.inventec.ch/chdh/notes/14.htm
I ran the command syntax and I got the cert installed in the personal store with private keys, etc.
So, not sure if this is UI bug, it could be IIS is smart enough to know that the cert is not applicable for Server SSL usage.
Yes that's the point, and i discovered it in the while... look at
this post, all is explained from the beginning to the end. Anyway, if IIS 7.0 is going to do assumption without inform users, i think that is really sad....
I thought my private key was just in the .pvk file, not for IIS...., IIS wants it in the machine key container, and HTTP.SYS too, since i was receiving 1312 binding the certificate manually for a WCF application outside IIS. IIS underneath uses HTTP API
which interfaces with HTTP.SYS... so everything now is clear.
Marzullo
15 Posts
Binding ssl certificate, disappearing from select list
Jan 10, 2007 05:55 PM|LINK
But i havn't an explicit message.
Although the certificate has been imported correctly, it doesn't appear inside the selectable list, look at this screen.
This sound a little strange also becouse if i switch to another panel and back to server certificate, the certificate imported disappear from the GUI and i've to import it again and again... All this behaviours happens without any explanation message. This seems a bug. Even if i import that server certificate, it seems iis discards it :*(
If i try with a self signed certificate it doesn't disappear from GUI and i'm able to bind it correctly.
qbernard
5019 Posts
MVP
Moderator
Re: Binding ssl certificate, disappearing from select list
Jan 11, 2007 05:34 AM|LINK
Bernard Cheah
dhacker
33 Posts
Re: Binding ssl certificate, disappearing from select list
Jan 11, 2007 01:27 PM|LINK
It seems to me that only specific types of certificates show up in the IIS 7 Manager. I think I noticed it was certificates imported with a password along with their private key?
So, if you are not seeing your certificate, perhaps it is the certificate type. You should still see it in the MMC for the certificate store though.
Marzullo
15 Posts
Re: Binding ssl certificate, disappearing from select list
Jan 11, 2007 01:35 PM|LINK
Here are the commands i used with makecert for making 2 certificates.
A self signed root trusted CA and a server certificate signed by it.
makecert -n "CN=RootTrustedCA" -r -sv RootTrustedCA.pvk RootTrustedCA.cer
makecert -sv Server.pvk -n "CN=Server" -iv RootTrustedCA.pvk -ic RootTrustedCA.cer -e 01/01/2008 Server.cer
RootTrustedCA.cer is installed inside Trusted Root Certificate Authorities store.
Server.cer is installed inside Personal store.
In that screen i had imported Server.cer.
In case it helps.
Anyway, if there is a problem it should be coupled with an error message, not with strange behaviours like screen disappearing, no errors, no warning and a lot of development time lost.
Otherwise this is a bug, that's why it hasn't been classified as an error.
I'm importing a certificate and iis is just wiping it from the GUI, why? what is happening behind there? This is really sad...
Marzullo
15 Posts
Re: Binding ssl certificate, disappearing from select list
Jan 11, 2007 01:38 PM|LINK
IIS 7.0 asked me a password during certificate import. I imagine it's the private key password. That's the only password i gave during creation. Anyway if a give an correct or incorrect password, the certificate is imported seamlessly and then it disappear again without any warning message.
Which type of certificate should i create to let it fit inside IIS 7.0? I didn't find any documentation about it.
Marzullo
15 Posts
Re: Binding ssl certificate, disappearing from select list
Jan 11, 2007 01:46 PM|LINK
Could you use my makecert commands to build those certificates and then try to import and bind them please?
qbernard
5019 Posts
MVP
Moderator
Re: Binding ssl certificate, disappearing from select list
Jan 12, 2007 03:46 AM|LINK
I'm not a makecert expert. I tested your 2nd command without the rootCA stuff, it created the server.cer without private key. I import it via IIS MMC - and you are right - it will disappear....... why ? not sure maybe IIS is smart enough to know that this cer doesn't has private key, or at least from the Local computer/personal store, where IIS reads the cert list.
And becoz of that, the binding page will not shows it. However, if you go to cert MMC, the server.cer is still in the personal store.
Lastly, I do a google found this page - http://www.inventec.ch/chdh/notes/14.htm
I ran the command syntax and I got the cert installed in the personal store with private keys, etc.
So, not sure if this is UI bug, it could be IIS is smart enough to know that the cert is not applicable for Server SSL usage.
Bernard Cheah
Marzullo
15 Posts
Re: Binding ssl certificate, disappearing from select list
Jan 12, 2007 05:20 AM|LINK
Yes that's the point, and i discovered it in the while... look at this post, all is explained from the beginning to the end. Anyway, if IIS 7.0 is going to do assumption without inform users, i think that is really sad....
I thought my private key was just in the .pvk file, not for IIS...., IIS wants it in the machine key container, and HTTP.SYS too, since i was receiving 1312 binding the certificate manually for a WCF application outside IIS. IIS underneath uses HTTP API which interfaces with HTTP.SYS... so everything now is clear.
So this issue is finally solved.
qbernard
5019 Posts
MVP
Moderator
Re: Binding ssl certificate, disappearing from select list
Jan 14, 2007 04:38 AM|LINK
Glad you fixed it.
Bernard Cheah