Prev: Made a big mistake - VPN and RPC over HTTP (SBS 2003 Prem.)
Next: The received certificate has expired
From: SuperGumby [SBS MVP] on 3 Jan 2010 21:19
my mistake.

"Mike W." <MikeW(a)discussions.microsoft.com> wrote in message
news:7AA7BC8A-16AF-46D8-B7B8-A5A6F50949FE(a)microsoft.com...
>
>
> "SuperGumby [SBS MVP]" wrote:
>
>> Sounds like you are looking at the IIS cert wiz, not the SBS wiz.
>
> This is what I am referring to:
>
> http://i.imgur.com/AZOFr.jpg


From: Cliff Galiher on 4 Jan 2010 01:07
Okay, the short answer is that the certificate you have "on record" is not a
valid private certificate. The fact that you can't export the private key
is the first indication of this.

To better explain this, you can go to *any* website that is secured (for
example, a large bank) and view the certificate in the browser. While
viewing the certificate, you can *save* that certificate. But you are only
saving the public key. You don't have *access* to the private key (nor
should you!) If you were to import that saved certificate onto your
machine, you could then export it again, but the "export private key" would
be grayed out, just like the behavior you are seeing now. This tells me
that the certificate you have now does *not* have a private key attached.

Now, for the really bad news. Usually most 3rd-party certificate providers
don't send you the private key. Obviously if someone else can get a hold of
the private key from the 3rd-party provider, by hack or social engineering,
then your certificate is no longer particularly secure. The private key
is...*drumroll*...generated when you generate the CSR for the certificate
(this isn't IIS specific, Apache operates very similarly.) So when you get
a certificate from a provider and perform the second step of importing the
certificate, the wizard does the internal configuration of pairing the
public and private key pairs and making the whole bundle available to the
IIS process for encrypting and decrypting traffic.

....and that is why this is bad news. By regenerating your CSR, you've
essentially generated a *new* private key as well. The public certificate
you have doesn't match so the wizard fails to import and pair the
certificate. Hence the error you now see when you attempt to use the
wizard.

Importing the certificate via the MMC only is pulling in the public half and
not pairing it with a private key....similar to how I outlined the process
above. A person would do this if they wanted to trust a site, but they
didn't operate the site thus had no need/desire/access to the private key.
Which is why the MMC snap-in even allows this process.

You are not in a situation where you have two choices:

1) Restore the certificate store from a backup.
2) Take your new CSR and have the 3rd-party provider re-issue a new
certificate. I'd also take the added step of explicitly revoking the old
one since apparently other shenanigans have taken place on this server
already by parties outside of your control.

-Cliff



"Mike W." <MikeW(a)discussions.microsoft.com> wrote in message
news:42EC30C8-26FE-4818-A9DA-9BD38CAE888C(a)microsoft.com...
>
> "Cliff Galiher" wrote:
>
>> So again, use the
>> wizard (which will work with .crt and .cer files.)
>
> Actually, no this doesn't work for me. I should have mentioned that I've
> already tried this.
>
> When I run the Wizard, after the first Next button, I get two options:
>
> 1. I want to buy a certificate from a certificate provider.
> 2. I want to use a certificate already installed on the server.
>
> Option 1 forces me to create a CSR. I do that, but I subsequently can't
> import the cert I already have on record. The error is: "The imported
> certificate does not match your Web site. Verified that you have selected
> the
> correct certificate file, and then try again."
>
> Option 2 brings up a list of installed certificates. My certificate
> doesn't
> appear in that list. No certificates appear in that list.
>
> On the "Before you being" page of the wizard, there is a link titled, "How
> do I import an existing trusted certificate?" This link leads one through
> the
> wizard for exporting a current cert. However, I cannot choose the "Yes,
> export the private key" option. It is grayed out.
>
> On a whim, I've removed the certificate from the Personal section within
> the
> Certificates snap in for the Computer account and re-imported the .cer
> file I
> have. I am successful, but this cert still doesn't show up in the list of
> already installed certificates.
>
> Does that help further explain the problem?
>
> Cheers,
>
> m
>
From: Mike W. on 4 Jan 2010 12:09
Hey Ace,

"Ace Fekay [MCT]" wrote:

> What type of certificate did you purchase? Was it a single name certificate,
> or a multi-name certificate also known as a UC/SAN cert?

It is/was a single-name cert.

Thanks,

Mike...
From: Mike W. on 4 Jan 2010 14:15


"Bill Sanderson" wrote:

> In my case, I simply read and followed the instructions in the install
> certificate wizard. I was able to export the in-place (godaddy) certificate
> with no issues, but that wasn't needed--I proceeded through the wizard, told
> it to use the existing certificate, which it did without complaint.

I read an blog post that referenced the GoDaddy certs and how exporting the
in-place cert would work. However, the step-by-step that I had found
indicated I need to export the private key. That option wasn't available to
me. I am unsure why.

Thanks for this follow-up. It's also curious that you ran into the same
troubles...
From: Ace Fekay [MCT] on 4 Jan 2010 14:23
"Mike W." <MikeW(a)discussions.microsoft.com> wrote in message
news:48842970-D7FB-4626-B776-B3B2BE846832(a)microsoft.com...
>
>
> "Bill Sanderson" wrote:
>
>> In my case, I simply read and followed the instructions in the install
>> certificate wizard. I was able to export the in-place (godaddy)
>> certificate
>> with no issues, but that wasn't needed--I proceeded through the wizard,
>> told
>> it to use the existing certificate, which it did without complaint.
>
> I read an blog post that referenced the GoDaddy certs and how exporting
> the
> in-place cert would work. However, the step-by-step that I had found
> indicated I need to export the private key. That option wasn't available
> to
> me. I am unsure why.
>
> Thanks for this follow-up. It's also curious that you ran into the same
> troubles...


The private key belongs to GoDaddy, and they hold it, hence why it's not
exportable, because it's not part of the cert.

Ace


First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: Made a big mistake - VPN and RPC over HTTP (SBS 2003 Prem.)
Next: The received certificate has expired