Welcome to Windows Communication Foundation (WCF)
Top Tasks :

WCF Team Bloggers

IIS7 and Certs

Can SSL configuration be more arcane? A week ago I noticed that my Server cert expired. I bought a new SBS cert via eNom (my domain name provider). SBS posts easy enough directions on their website for installing the cert. Four days later, I finally have it working. Basically, a three step process. Step one is you create a new certificate request in the IIS MMC; take the base64-encoded request, submit it into a form (or send it via e-mail), get it validated by the SBS folks, who send you back a base64-encoded certificate, along with some trusted root and intermediate authority certificates. Step two is using the cert management MMC plug-in to install the trusted root and intermediate certs (always a pleasure using that tool I tell you). Step three is completing the certificate request in IIS by supplying the base64-encoded cert file and IIS creating the appropriate corresponding private key file. First mistake: remove the old (expired) cert before I have the new one working. Oops. No HTTPS support for my site until I fix it. Second mistake: forgot to install the trusted root cert before completing the IIS process. Once you complete the process, no going back. Need to create a new request, send it to SBS, and get a new cert. One more day lost. Now comes the hard part. New server cert installed, all the right supporting certs are in place, but IIS fails every HTTPS request (no error logs). The page IE displays is just like a DNS lookup failure, but it comes back immediately (as opposed to looking for latency you see with DNS failures). So what's going on? netstat -a shows that port 443 is in LISTENING state. telnet localhost 443 confirms (but resets the connection with the first keystroke). Firewall seems to be fine (allows 443). Time to sleep on it. Now it's time to find a new machine and try to put the cert on it "from scratch" to see if the issue is the old machine. As soon as I go in to add HTTPS to the site's bindings, the problem becomes apparent: the HTTPS protocol requires a cert to be associated with it... bingo! The issue is that the old cert is gone, and I haven't re-associated the HTTPS binding with the new cert. You'd think that the site would just come back with a "bad cert" error message but it just got stuck in a very hard to diagnose state. Now comes the fun part. When I try to remove the HTTPS binding and recreate it using the new server cert, I keep getting a dialog with a weird error message ("A specified login session does not exist. It may Read More...
Published Thursday, January 24, 2008 2:06 AM by OhmBlog
Filed under:

Comments

No Comments
Anonymous comments are disabled

  
More Search Options

<January 2008>
SuMoTuWeThFrSa
303112345
6789101112
13141516171819
20212223242526
272829303112
3456789

Copyright © 2006 Microsoft Corporation. All Rights Reserved. | Terms of Use | Privacy Statement | Contact Us