I faced a simlar problem even when importing certificates generated from
IIS generated requests. The password asked for was the the password for
the IUSR_hostname account. There's some documentation available on the
web about this.
But I was unable to import openssl generated certificates.
Regards,
Amit.
"Dearnaley (EXT), Roger" wrote:
>
> I would like to use openssl to generate keys and certificates for import
> into Microsoft IIS 4.0 (since IIS only produces keys with up to 1024-bit RSA
> moduli).
>
> I seem to have all the key generation and signing stuff working, the problem
> is when I go to import the key and certificate into IIS. The IIS 4.0 Key
> Manager has an option Key/Inport Key.../KeySet Files which it claims will
> "Import Key Pairs generated with tools other than Key Manger" (yes, with
> typo). I assume that it takes PEM files, since IIS 4.0 generates PEM
> certificate requests and will import PEM certificates. When I go to tell it
> to import the PEM key and certificate files I generated with openssl, it
> asks me for a password. The request I generated the certificate from didn't
> include a 'challenge password' (from taking a look at one using openssl req,
> it appears that IIS-generated certificate requests don't, so I turned it off
> in the req config settings), so presumably they are asking for the password
> the key file is encrypted with. But when I give it that, it then says
> "Unable to install the certificate because you did not enter the correct
> password. SChannel error = 80090304". I have tried this with the key
> encrypted in DES, DES3, IDEA, and unencrypted (the Key Manager still asked
> for a password when the key was unencrypted), and so far nothing has worked.
> I'm rapidly running out of ideas for what to try next. From looking at them
> with openssl, the only differences between the request and certificate I
> generated and those that IIS and Verisign generated and that I installed
> successfully are that I'm using a larger RSA modulus length than the 1024
> limit IIS will produce, and that I'm using SHA1 signing not the MD5 that IIS
> uses.
>
> Does anyone here know anything about the IIS Import KeySet file facility? Do
> you have any idea what I might need to do to make it work? The Microsoft
> Help documentation on this feature is non-existent.
>
> --Roger Dearnaley <[EMAIL PROTECTED]>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
