Bug in IIS when import cert and uncheck the allow to exportRSS

3 replies

Last post Nov 15, 2016 08:06 AM by Ken Schaefer

  • Bug in IIS when import cert and uncheck the allow to export

    Nov 15, 2016 06:09 AM|Timson ZOU|LINK

    I have an application requires SSL, and I performed below actions

    1. Launch IIS manager, Importing the cert (pfx file) with the option "Make the cert exportable" not ticked

    2. Create a website with this cert.

    3. Test OK

    4. Reboot the server

    5. Client not able to connect to the website, and IE ask me to enable TLS. But actually TLS is enabled in client site.

    6. Go to server event log, there is a system error "A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001."

    I would like to know if this is a known issue of IIS. Since the function is very common, it is hard to believe no one report to Microsoft and fix it for such long time.

    My environment, Windows Server 2008 R2, IIS 7.5. The pfx cert file is provided by our client. Thanks

  • Re: Bug in IIS when import cert and uncheck the allow to export

    Nov 15, 2016 06:18 AM|Ken Schaefer|LINK

    Timson ZOU

    I would like to know if this is a known issue of IIS. Since the function is very common, it is hard to believe no one report to Microsoft and fix it for such long time.

    It is known:

    https://blogs.msdn.microsoft.com/kaushal/2012/10/07/error-hresult-0x80070520-when-adding-ssl-binding-in-iis/

    Either leave "make cert exportable" ticked if using IIS Manager

    Otherwise, if the private key should not be exportable, then Start -> Run -> MMC.exe -> Add/Remove Snapins -> Certificates -> Computer account. Right-click on the Personal certificate store and choose "Import". Use the wizard here to import and cert and mark it "nor exportable"

  • Re: Bug in IIS when import cert and uncheck the allow to export

    Nov 15, 2016 07:01 AM|Timson ZOU|LINK

    Thanks Ken. I would like to know whether the blog could be served as official information of Microsoft? Because I have to provide evidence to my client that this is really a known issue which confirmed by Microsoft. Thank you.

  • Re: Bug in IIS when import cert and uncheck the allow to export

    Nov 15, 2016 08:06 AM|Ken Schaefer|LINK

    Timson ZOU

    Thanks Ken. I would like to know whether the blog could be served as official information of Microsoft? Because I have to provide evidence to my client that this is really a known issue which confirmed by Microsoft. Thank you

    It's a Microsoft blog - the author is a Microsoft escalation engineer working on Azure (according to his Bio).

    If you need an official statement, you may need to open a support call...I don't see any KB on the Microsoft support site that documents this behaviour unfortunately.