Security

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

qbernard — Mon, 12 Jan 2009 14:09:27 GMT

Wow.. that was tough!

Thanks for the update.

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

ganeshanekar — Mon, 12 Jan 2009 05:15:46 GMT

To benifit other users, posting what we did on this:

We worked on this offline and looked at the configuration of SSL. (Server Windows 2000 SP4 - IIS 5.0).

The actual error we’re seeing in the SSL Diagnostics tool is, "You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed."

This almost always means there’s a permissions problem accessing the private key, which is stored in the MachineKeys directory. We checked and verified the permissions and ensured that all machine keys prems are good (KB278381), but it still didn't work.

We checked the certificate which was sent by Verisign - It was in p7b format?? - It shows it has private key - but does not allow the export private key. From IIS certificate Wizard, everytime we tried to complete pending request with certificate that was sent by verisign - We see "Keyset does not exist" error.

Test certificate from SSLDiag - Works fine no issues with that at all. Issue seems to be with Verisign certificate but does not have enough evidance.

Finally after some troubleshooting instead of finding out the root cause - We concluded to take a back up of IIS metabase and re-install IIS as there are only few sites running on this box. Stam to take a call on re-installing IIS.

~ Ganesh

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

stamtarm — Wed, 07 Jan 2009 02:07:56 GMT

And now what should I do to solve the problem?

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

stamtarm — Wed, 07 Jan 2009 01:58:00 GMT

Mr. Ganeshanekar, I have sent you a email already. Thanks for your help!

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

ganeshanekar — Tue, 06 Jan 2009 08:15:38 GMT

ganeshanekar@hotmail.com

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

stamtarm — Tue, 06 Jan 2009 07:57:28 GMT

When I copied the certificate from Verisign's email to notepad and save as ".cer" file, it cannot be viewed after I double click it. It only pops up a mesasge: "this is an invalid security certificate file"

Verisign told me to save it as ".p7b" and I can open it by double click. But when I process the pending request using the ".p7b" certificate, it still failed and get the same error messge "Keyset does not exists".

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

stamtarm — Tue, 06 Jan 2009 07:32:41 GMT

I don't know why the private key of the pending CSR cannot be backup. That is, it does not allow me to export the private key, in MMC program. Verisign said that I should edit the permission of the container folder to allow administrator account and system account full control. but it doesn't help.

And the main problem is I don't know why the certificate from verisign cannot be installed in my web server. always saying "keyset does not exist".

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

stamtarm — Tue, 06 Jan 2009 07:18:26 GMT

What is your email ganeshanekar, because I don't know how to insert image using this forum's email.

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

ganeshanekar — Tue, 06 Jan 2009 07:09:48 GMT

That's Good News!

Can you send me screen shot of the website certificate (certification path tab)? (send me private message or email).

~ Ganesh

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

stamtarm — Tue, 06 Jan 2009 06:57:34 GMT

I installed the root certificate successfully. And now it is the same as before. Only showing my current certificate is expired.

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

ganeshanekar — Tue, 06 Jan 2009 04:46:02 GMT

Can you send me screen shot of the website certificate (certification path tab)?

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

stamtarm — Tue, 06 Jan 2009 04:32:21 GMT

I tried to search but it doesn't have tutorial on how to download and install the Verisign Root certificate. Is it easy to download and install? And how?

Oh, 1 found it. Let me try...

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

stamtarm — Tue, 06 Jan 2009 01:55:29 GMT

Ok, i try to install the Verisign Root CA.

And there is a security concern if I allow Ganeshanekar to access my company's web server...

Actually every thing working fine before. As I knew the certificate installed in the web server going to be expired in 20/12/2008, I renew the certificate via Verisign on 12/12/2008 and tried to install the new certificate into the web server. It failed. Afterthat, I revoke the new certificate and replace it by requesting another certificate. But still failed. Then I edit the permission of the container folders and requseted new certificate again and the installation failed again. I issued 8 certificates from Verisign already by revoke and replace.

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

ganeshanekar — Mon, 05 Jan 2009 11:12:55 GMT

Can you provide me access to server, I will walk you through the steps.

~ Ganesh

Re: Failed to install Verisign SSL digital certificate on IIS 5.0. Please help!!

Paul Lynch — Mon, 05 Jan 2009 11:08:41 GMT

Hi,

Was your previous web site certificate working properly without any errors until recently ? If so then I don't think there was a problem with either your Verisign Root or Intermediate certificates.

It sounds to me as though you have followed the instructions at the URL provided previously (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO7094) but you have put the Verisign Intermediate certificate in your machine's Root certificate store.

If that is the case you will need to download the Verisign Root CA and place it in your machine's root store and then do the same for the Verisign Intermediate CA and place that in your machine's Intermediate cert store.

Regards,