Re: IIS and CA in 2000

[Chris Shattock]

Title: IIS and CA in 2000

Shannon,   Adil is right - W2K will complain if something goes wrong - usually only the result of crap application install programs or determined manual messing around.   Can you check if your CA is in the Trusted Root list - should be already if you installed CA as a stand-alone (IE\Tools\Internet Options\Content\Certificates - "Trusted Root Certification Authorities")   I assume you did install as a Stand-alone CA?   Chris Shattock ----- Original Message ----- From: Shannon Speck To: NT System Admin Issues Sent: Wednesday, September 26, 2001 3:35 PM Subject: RE: IIS and CA in 2000 Thanks Chris. I am going to give that a look. I am a little confused as to whether I need to re-install the q301625 after (first) un-installing/re-installing Certificate Services and (second) W2K SP 2. I have always been told that a good rule of thumb is if you have to insert the W2K Server install CD and it copies files from it you need to re-install the latest Service pack. I am not sure if this is the case with q301625. BTW, I had already un-installed and re-installed Certificate Services/W2K SP2 before I got your reply. It is all back up now. I am still having one issue that I need to deal with. I am still getting the error "The security certificate was issued by a company that you have not chosen to trust. View the certificate and to determine whether you want to trust the certifying authority". I click view the certificate, then I run the "Install Certificate" and it imports and installs successfully, but I still get the security alert each time I exit Internet Explorer and restart Internet Explorer to access the site. Sorry to keep hitting you with questions. I really appreciate your help with this issue. It has been very useful.   SS      -----Original Message----- From: Chris Shattock [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 7:03 AM To: NT System Admin Issues Subject: Re: IIS and CA in 2000 No I wasn't. Yes I am now: Following apply it appears that the patch removed the CertSrv virtual directory from localhost - these things are sent to amuse us. Just re-create a virtual directory called CertSrv and point it to the certsrv subdirectory of %systempath%\system32\certsrv.   Of course your machine is probably hugely different from mine (which will be rebuilt this weekend it is so screwed up) that you may have other issues. Firstly check to see if the localhost\CertSrv is still there.   Chris Shattock ----- Original Message ----- From: Shannon Speck To: NT System Admin Issues Sent: Wednesday, September 26, 2001 2:12 PM Subject: RE: IIS and CA in 2000 I just crashed my Certificate Service. I installed WS's latest cumulative IIS patch (q301625) to tighten IIS back up and the certificate service will not start now. I am going to re-install the W2K SP2 and see if that fixes it. If not I guess I will have to remove/re-install certificate services. Are you running the q301625 patch mentioned above?   SS  -----Original Message----- From: Chris Shattock [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 6:10 AM To: NT System Admin Issues Subject: Re: IIS and CA in 2000 Check my earlier reply for port# - if you have all defaults forget it - just default to 80. Personally I don't read that much - this and other things I find out by trying - consequently I end up rebuilding my server every 3 weeks or so - but each time I do it goes quicker (after re-installing W2KS and AS x times since 1998!).   I have found a self-certified CA to be very usefule for devolpment and testing out multiple IP-less hosting with different SSL's and Exchange etc. - they're all done the same way. So have some fun! ----- Original Message ----- From: Shannon Speck To: NT System Admin Issues Sent: Wednesday, September 26, 2001 1:02 PM Subject: RE: IIS and CA in 2000 Man, that was dead on!! After posting yesterday evening, I finally came across an article that explained this. This info was not the easiest to find. The only difference in the article from your info was how to access the local host. They are suggesting http://localhost/certsrv . This seemed to work. They did not mention the port #. I am going to have to go back through it and see if I can find the option for Web server. I don't recall seeing that. My next task is getting rid of the errors for stuff not matching. Thanks a million for the info. Have a good one, SS  -----Original Message----- From: Chris Shattock [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 2:34 AM To: NT System Admin Issues Subject: Re: IIS and CA in 2000 I'll assume that you have already generated and saved the certificate request file (say certreq.txt) from IIS. Form there: In your browser go to http://localhost:91/CertSrv/default.asp Select Request a Certificate - hit Next Select Advanced Request - hit Next Select the second option: "Submit a certificate request using a base 64..." - hit Next Copy and Paste the entire contents of your certreq.txt file into the "Saved Request" text field. On the Certificate Template drop-down select "Web Server" and hit Submit. If your CA is appropriately set-up you can on the next screen download and save the DER (or Base 64) encoded certificate - which can then be picked up by the IIS Assign Server Certificate Wizard. If not: you need to start the CA Management Console and manually issue the certificate request by right-clicking the request in the Pending List - you can then use http://localhost:91/CertSrv/default.asp to 'pick-up' and save the certificate from the server (or export it manually from the CA Management Console). In IIS when you 're-start' the Wizard just give it the name/location of the .cer file that was generated containing the encoded certificate.   Chris Shattock ----- Original Message ----- From: Shannon Speck To: NT System Admin Issues Sent: Wednesday, September 26, 2001 1:10 AM Subject: IIS and CA in 2000 I am not sure if this is an appropriate question for this list, but here it goes. I have a W2K SP2 server running IIS 5.0 and have installed Certificate Services in Stand Alone mode (because I want to issue certificates over the internet). I am trying to get the default website up and running SSL. The site functions properly until I invoke the SSL. My question is how do I "bind" a certificate to the site? I have used Verisign in the past and I just send them my file and they send back a new file to install on the site. I can not figure out how to do this with MS's Certificate Authority. I have never seen the process from a Verisign stand point and this is where I am stuck. I have read numerous articles on how to do this and they all seem to tell me how to install Certificate Services and stop there. Thanks, SS Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english Want to unsub? Do that here: http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/ Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/ Want to unsub? Do that here: http://www.w2knews.com/rd/rd.cfm?id=unsub Need a good FAQ? Try this one first: http://www.ultratech-llc.com/KB/