Search results matching tag 'certificate'

Validate User Certificate with an external Certificate Authority

atlasy — Mon, 23 Nov 2009 20:28:55 GMT

Hi,

I have a web application that require a user certificate. I've hosted this application in ms server 2008. In the other hand, i have my own certificate authority that is setted up in an other server 2008.

From II7 of my web application server, I've create a certificate request. I've copyied the request to my certificate authority server, and then, i've issued the web app certificate.

The users can get their "user certificate" from CA server.

The problem is: My IIS 7 cannot verify the user certificate if it's valid or not! I'm wondering how can I configure my Web App Server (IIS 7) to communicate the my CA Server to validate the user certificate??

thanks,

Strange SSL Certificate Behavior in IIS 6, Exchange Server 2003, Outlook Web Access

meals.software — Mon, 19 Oct 2009 18:43:42 GMT

One of the businesses for whom I consult called me up to have me change the settings on their IIS 6.0/Exchange 2003 server so their main accountant/IT support person could get Outlook Mobile Access on his new Palm Pre. Apparently, the Pre will choke when it encounters a SSL certificate that is not linked from a recognized Certificate Authority or preloaded into the Pre. Loading the SSL Cert manually brings up another error, that the cert's address does not match the server address provided. This is the same error that the business has been receiving for their Outlook Web Access setup since they can remember. However, in IE the business can choose to accept the cert, bringing them to a login screen.

They have a somewhat strange domain setup: two domains are part of their network (example.net and examplenet.com), but they only own one of them (examplenet.com), so the other (example.net) is not accessible from outside the office. The business uses mail.examplenet.com as both the office network and internet-accessible address, however the original FQDN of the server is server.example.net, which is not addressable from outside the office. DNS A or CNAME records point all connections from mail.examplenet.com, smtp.examplenet.com, and pop3.examplenet.com to server.example.net.

The original SSL cert's common name was "server", not a FQDN. I thought that creating a new cert with the FQDN the office used would allow the Pre and OWA to work without error, at least for a self-signed cert. However, in the IIS management console, once I removed the old cert, created a new one (for mail.examplenet.com), signed it with the CA existing on the server, and added it to the default web server, the server was no longer addressable. Opening an IE window to the server's IP address, mail.examplenet.com, or server.example.net all would not connect. Unfortunately IE does not provide usable error codes, but I suspect it is a DNS problem in addressing the web server, as the IE error page suggestions (check address for mistakes, server could be down) are consistent with DNS misconfigurations.

Replacing the original cert returned everything to the original invalid address error, but still allowed OWA (though not for the Pre). Creating and installing a cert only for "mail" provided the same error and function as the original cert. All of those certs used thus far were configured with the web server template.

There was a domain controller template cert already created for "server.example.net" which, when imported, allowed error-free access to OWA when using the server.example.net address, though obviously threw an invalid cert error for the address when connecting to mail.examplenet.com. Of course, the example.net addresses cannot be used outside the office as the office does not own that domain.

I would appreciate any suggestions and insight into allowing error-free (though still using SSL, and yes 128-bit encryption is enabled throughout the default web server) web access to exchange and to the Pre. Web searches for this topic merely tell me how to create a self-signed cert for the exchange/iis server, which does not appear to help by itself. The names of the domains have been changed to protect the innocent. My apologies for cross posting.

Re: Certificate button not present on the Access tab of the default SMTP Virtual Server

serverintellect_BM — Fri, 25 Sep 2009 19:44:52 GMT

When the IIS6 SMTP Server module looks for a certificate to use for TLS encryption, it seems checks the 'Local_Machine\my' store. I'm not sure where the OpenSSL certificate was placed by the system, but if it's not in the Personal certificates section, then the SMTP server won't be able to find it, and will therefore provide the error listed here.

If you have IIS7 installed on this server, the easiest way to go about securing this would be to select the 'Server' node in the IIS7 manager, select 'Certificates', and 'Create a self-signed certificate...' This will place a copy of the certificate in both the 'Local_Machine\my' store, as well as the Trusted Roots store.

I ran through a quick test of this: clearing out the Personal store provided the error mentioned above, but reloading the 'Properties' of the SMTP server after creating the self-signed certificate through IIS showed the certificate present, and allowed it to be secured.

Hope this helps!

Note: To check what's in a given certificate store, load up MMC (mmc.exe in the 'Run' box), under 'File', select 'Add/Remove Snap-in'. Under the snap-in list, select 'Certificates', and then choose Local Machine. Once back at the MMC listing, under certificates, you can check 'Personal\Certificates' to see its content.

Re: Bought SSL Cert for wrong site :(

serverintellect_BM — Fri, 18 Sep 2009 18:06:39 GMT

In case you haven't found another method of doing this (or for others that have similar inquiries) the easiest way to accomplish this would be to complete the request on the default site as normal. Once the cert request has been completed, you can "Remove the current certificate" from the Default Web Site.

The certificate, however, still exists in the store for use. Navigate to the Directory Security for the desired site, under "Server Certificate..." select "Assign an existing certificate", and you'll see the completed and valid certificate in the store for assignment to the site. Select it, set up the https bindings, and you're good to go!

Also note that creating a second CSR request, even containing the exact same information, will have a different signed certificate, as a degree of randomness is present in each generated unsigned key. IIS6 would throw an error that the request and answer don't match. One would need to begin the signing process a new with the newly generated CSR.

create certificate for IIS 7.0 issue

George2 — Mon, 20 Jul 2009 10:44:30 GMT

Hello everyone,

I am configuring https for IIS 7.0 and I need to create a test certificate for IIS 7.0 server. I am new to create certificate for IIS 7.0, and I only need server certificate, no need for client certificate.

I am configuring IIS 7.0 on my Windows Vista Enterprise.

Any recommended readings or documents?

thanks in advance,
George

What to do for a rootkit...

rgsnowman — Sun, 14 Jun 2009 13:01:38 GMT

I have recently found a rootkit on my computer through AVG and am wondering how to get this thing off. I tried to get AVG to delete it but it said it cannot. I heard you can re-install windows vista and also restore default settings but I am not sure if that deletes everything and I'll have to get external hd and if the rootkit would get itself into there and I'd be re-installing a rootkit. This rootkit is screwing up my xps one it tiny ways, it changed all my security setting and turned my anti-viruses off and I can't turn them back on, messed up background, screwed up start menu and toolbar, and the side panel. I just want to know the best way to get this off computer. Thanks in advance.

Re: iis client certs and FireFox

CraigHumphrey — Wed, 27 May 2009 04:41:31 GMT

I know this was posted a few years ago, but for the sake of completeness, the solution is probable:

certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

As MS Certificate Services does not enable support for Netscape/Firefox by default (for some strange reason).

I found this information here:
http://www.eggheadcafe.com/software/aspnet/28768148/re-mozillafirefox-probl.aspx

Hopefully that helps anyone who ends up here (I hate finding threads with no answer...)

Re: certificates and ssl

petsch — Wed, 11 Mar 2009 19:30:43 GMT

[quote user="pociis"]
I can able to access the website1,website2 with one client certificate itself. Windows server 2003 act as its own CA.Somewhere i missed please help me out on this.Client side i use IE7.

[/quote]

Yes, I can't see why that should be a problem. The client certificate is mapped to your computer or user and will just be used for authentication. You can setup the Client Certificate Authentication on as many websites as possible.

SSL Certificate migration

270net — Tue, 02 Dec 2008 20:54:50 GMT

Hi all,

We are migrating all of our websites from Windows Server 2003 w/ IIS 6 to a new server running Windows Server 2008 w/ IIS 7. Is there a documented way to migrate the SSL certificates over?

403.7 64 on IIS 6 on both XP 64 and server 2003 R2 64

Carrots — Mon, 03 Nov 2008 15:01:01 GMT

In the IIS logs, our client has found a bunch of 403.7 64 's being logged. Most of them are to /VirtualDirectoryName, for example:

2008-10-30 06:41:00 W3SVC3 xxx.xxx.xxx.xxx GET /VirtualDirectoryName - 443 - xxx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727;+.NET+CLR+1.1.4322;+.NET+CLR+3.0.04506
.30;+.NET+CLR+3.0.04506.648;+.NET+CLR+3.5.21022) 403 7 64

These happen quite often, sometimes 4 or so requests in a row.
Directory browsing is disabled on the sites, and the default page is set to default.htm which exists, so theoretically, there should be no requests for the path.
I have enabled schannel logging, but couldnt find one matching the timestamp in IIS. For example, in IIS we have one for 2008-10-30 11:49:50, and in event viewer we have one for 11:49:52 and one for 11:49:45. I also couldnt find a patter that makes it look like the one is trailing the other by a couple of seconds.

All the IIS requests are on port 443, none are on 80.

Schannel logs information events, but no warnings.
The client confirmed that the system logs and IIS logs were from the same server.

They run Windows 2003 x64 R2 on a NLB cluster. The machines in the testing environment is a single machine only.
I am able to intermittently reproduce it on my own environment (XP 64). One out of 20 times doing the exact same actions will give me the error in the logs. The error does not affect the user at all.

Testers currently test on Windows XP 32, with IE6, IE7 and Firefox, using software certs, or in some cases USB tokens. I replicated using a software cert.

Now this does not sound like something I should be spending my time on, but the client is being audited, and this has been raised as a concern by the auditing company.