« Previous Next »

• 01-04-2009, 11:15 PM

  stamtarm Joined on 01-05-2009, 3:07 AM Posts 19

  Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact I have tried several times, revoke and replace certificate, and asked Verisign for help too. But at the end it still failed.   Error message are shown as below:   - When installing the certificate: "Failed to install certificate, keyset does not exists"   - When trying to export the private key using MMC function, the option for "Export private key" is disabled and it says "Notes: The associated private key cannot be found.  Only the certificate can be exported."     I have changed the permission of the administrator and system account to Full Control for the following folders and files already: Folders C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys C:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA   All files inside the following folder C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys   Please kindly assist!! Thank you very much!!   sta

  Tags: SSLsecurityssl cert security iis5 xpSSL Issuesssl Server CertificateServer CertificateSSL CertificatePrivate Key

• 01-05-2009, 3:17 AM

  In reply to

  ganeshanekar Joined on 11-15-2006, 12:29 AM India Posts 528

  Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact Have you made sure that the certificate has indeed private key associated with it? You could try SSLDiag tool and check if it really related to IIS permissions/configuration issue or not. If "test certificate" and simulate handshake works with SSLDiag then this is not issue with IIS configuration or permissions and would be indeed issue with certificate itself. Let me know how it goes. HTH. ~ Ganesh

• 01-05-2009, 4:12 AM

  In reply to

  Paul Lynch Joined on 05-24-2006, 5:41 AM UK Posts 1,197

  Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact Hi, It looks to me as though you have installed the certificate you received from Verisign without first processing the pending certificate request on the machine where the CSR was generated. This will result in a situation where you have a certificate with no private key on your machine. Can you confirm that you followed the steps outlined here : Certificate Signing Request (CSR) Generation Instructions - Microsoft IIS 6.0 Installation Instructions - Microsoft IIS 6.0 If you haven't you will need to process the original pending request. This should produce a valid cert with an associated private key. Regards,  Paul Lynch | www.iisadmin.co.uk

• 01-05-2009, 4:18 AM

  In reply to

  stamtarm Joined on 01-05-2009, 3:07 AM Posts 19

  Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact Below is the configuration of my website. I have hidden some details.   [ W3SVC/1 ] ServerComment = Default Web Site [Port:80] ServerAutoStart = True ServerState = Server started #Impersonated server account SSLCertHash = 2c cb 03 48 69 fc 03 9e bb 61 f5 99 1a 5d f5 36 14 f1 5c 5d SSLStoreName = MY #CertName = ****** #You have a private key that corresponds to this certificate #ContainerName='91a03a8215b59e4d04fa7fdeeac0f651_f933bf58-703d-4dbb-a0cf-b8ce6f38385b' #ProvName='Microsoft RSA SChannel Cryptographic Provider' ProvType=PROV_RSA_SCHANNEL KeySpec=AT_KEYEXCHANGE #Subject: C=**, S=**, L=**, O=**, OU=Administration Department, OU=Terms of use at www.verisign.com/rpa (c)05, CN=*** #Issuer: O=VeriSign Trust Network, OU="VeriSign, Inc.", OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign #Validity: From 2006/12/14 上午 08:00:00 To 2008/12/20 上午 07:59:59 #WARNING:CertVerifyCertificateChainPolicy returned error -2146762495(0x800b0101) SecureBindings = 172.16.1.4:443:

• 01-05-2009, 4:28 AM

  In reply to

  stamtarm Joined on 01-05-2009, 3:07 AM Posts 19

  Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact I don't know whether I did it right in the first time. But I have tried several times to revoke and replace the certificate by generating new pending request in my website and paste the outcoming code to verisign's website for getting a new certificate. Then I use the certificate attached at the end of the email to import into the website. Then it fails.

• 01-05-2009, 4:33 AM

  In reply to

  stamtarm Joined on 01-05-2009, 3:07 AM Posts 19

  Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact Simulate Handshake (current expired certificate): System time: Mon, 05 Jan 2009 09:33:20 GMT Connecting to 172.16.1.4:443 Connected Handshake: 78 bytes sent Handshake: 2235 bytes received Handshake: 182 bytes sent Handshake: 43 bytes received Handshake succeeded Verifying server certificate, it might take a while... #WARNING:Error 0x800b0101 : The server certificate is expired Server certificate name: **** Server certificate subject: C=**, S=**, L=**, O=**, OU=Administration Department, OU=Terms of use at www.verisign.com/rpa (c)05, CN=** Server certificate issuer: O=VeriSign Trust Network, OU="VeriSign, Inc.", OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign Server certificate validity: From 2006/12/14 上午 08:00:00 To 2008/12/20 上午 07:59:59 HTTPS request: GET / HTTP/1.0 User-Agent: SSLDiag Accept:*/* HTTPS: 72 bytes of encrypted data sent HTTPS: 349 bytes of encrypted data received HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 05 Jan 2009 09:33:37 GMT Connection: Keep-Alive Content-Length: 25868 Content-Type: text/html Set-Cookie: ** Set-Cookie: ASPSESSIONIDAARQSCSC=KOLDMGMADGBKPBILGIGNPEIC; path=/ Cache-control: private HTTPS: 10220 bytes of encrypted data received HTTPS: 3736 bytes of encrypted data received HTTPS: 2449 bytes of encrypted data received <script type="text/javascript" language="JavaScript1.2" src="javascript/constant.js"></script> <script type="text/javascript" language="JavaScript1.2" src="javascript/common.js"></script> ....... ....... HTTPS: server disconnected Final handshake: 23 bytes sent successfully

• 01-05-2009, 4:36 AM

  In reply to

  ganeshanekar Joined on 11-15-2006, 12:29 AM India Posts 528

  Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact I just went through the error message that you have posted here: #WARNING:CertVerifyCertificateChainPolicy returned error -2146762495(0x800b0101) err 0x800b0101 # for hex 0x800b0101 / decimal -2146762495 :   CERT_E_EXPIRED                              # A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. Looks like the ROOT CA certicate is expired (which is in chain of your website certificate). Can you check/verify all the chain and update the Root CA if any of them expired? Check this out and update the CA's Certificate: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO7094 HTH. ~ Ganesh

• 01-05-2009, 4:36 AM

  In reply to

  stamtarm Joined on 01-05-2009, 3:07 AM Posts 19

  Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact Simulate handshake (NEW CREATED ceritificate using SSLDiag tool) System time: Mon, 05 Jan 2009 09:35:23 GMT Connecting to 172.16.1.4:443 Connected Handshake: 78 bytes sent Handshake: 875 bytes received Handshake: 182 bytes sent Handshake: 43 bytes received Handshake succeeded Verifying server certificate, it might take a while... Server certificate name: *** Server certificate subject: CN=**, OU=2c cb 03 48 69 fc 03 9e bb 61 f5 99 1a 5d f5 36 14 f1 5c 5d, O={7EF2B15E-6A62-4588-B61E-3CBF416FA155} Server certificate issuer: CN=***, OU=2c cb 03 48 69 fc 03 9e bb 61 f5 99 1a 5d f5 36 14 f1 5c 5d, O={7EF2B15E-6A62-4588-B61E-3CBF416FA155} Server certificate validity: From 2009/1/5 下午 05:35:16 To 2009/1/12 下午 05:35:16 HTTPS request: GET / HTTP/1.0 User-Agent: SSLDiag Accept:*/* HTTPS: 72 bytes of encrypted data sent HTTPS: 349 bytes of encrypted data received HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Mon, 05 Jan 2009 09:35:24 GMT Connection: Keep-Alive Content-Length: 25868 Content-Type: text/html Set-Cookie: *** Set-Cookie: ASPSESSIONIDAARQSCSC=DPLDMGMAHOMOKGBGHNBINIPI; path=/ Cache-control: private HTTPS: 11036 bytes of encrypted data received HTTPS: 5024 bytes of encrypted data received HTTPS: 345 bytes of encrypted data received <script type="text/javascript" language="JavaScript1.2" src="javascript/constant.js"></script> <script type="text/javascript" language="JavaScript1.2" src="javascript/common.js"></script> ......... ........ HTTPS: server disconnected Final handshake: 23 bytes sent successfully

• 01-05-2009, 4:40 AM

  In reply to

  ganeshanekar Joined on 11-15-2006, 12:29 AM India Posts 528	Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact Restore your website's cert back and just update the Intermediate CA Certificate. I have posted a link in my eariler post. Here it is again: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO7094 HTH. ~ Ganesh

• 01-05-2009, 4:49 AM

  In reply to

  stamtarm Joined on 01-05-2009, 3:07 AM Posts 19	Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact I can see that in the certification path: Verisign class 3 public primary CA www.verisign.com/CPS ...... X my certificate (which showing a cross in front of it) Thanks, I am now trying.

• 01-05-2009, 4:53 AM

  In reply to

  ganeshanekar Joined on 11-15-2006, 12:29 AM India Posts 528

  Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact Is it a valid certificate? From your eariler post: #Subject: C=**, S=**, L=**, O=**, OU=Administration Department, OU=Terms of use at www.verisign.com/rpa (c)05, CN=*** #Issuer: O=VeriSign Trust Network, OU="VeriSign, Inc.", OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign #Validity: From 2006/12/14 上午 08:00:00 To 2008/12/20 上午 07:59:59 #WARNING:CertVerifyCertificateChainPolicy returned error -2146762495(0x800b0101) So it seems, Verisign certficate is indeed expired on 12/20/2008 which you will need get an update from Verisign. HTH. ~ Ganesh

• 01-05-2009, 4:56 AM

  In reply to

  stamtarm Joined on 01-05-2009, 3:07 AM Posts 19	Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact Yes, the current one is expired, so I got a new one by renewing it via Verisign and try to import the new one and it fails.

• 01-05-2009, 5:03 AM

  In reply to

  ganeshanekar Joined on 11-15-2006, 12:29 AM India Posts 528	Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact What does fails means? Can you post screen shot of error here?

• 01-05-2009, 5:05 AM

  In reply to

  stamtarm Joined on 01-05-2009, 3:07 AM Posts 19

  Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact Error message are shown as below:   - When I install the certificate, at the end it told me "Failed to install certificate, keyset does not exists"   - When I try to export the private key using MMC function (typed at RUN) according to Verisign's suggestion, the option for "Export private key" is disabled and it says "Notes: The associated private key cannot be found.  Only the certificate can be exported."

• 01-05-2009, 5:11 AM

  In reply to

  ganeshanekar Joined on 11-15-2006, 12:29 AM India Posts 528

  Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!! Reply Contact Can you try following: 1. First install the updated Intermediate Verisign certificate. 2. Ensure that it is updated - You can just double click on the .cer file that you received from verisign for Your website and click on certification path tab ( it should complete chain without any Red 'X' on it. 3. Then in IIS run certificate wizard and select option of replace certificate and choose your website certificate. HTH. ~ Ganesh