locked
[RTM Vista] - Problem binding an ssl certificate to an ip:port, nothing works :-( RRS feed

  • Question

  • Look this link.
    I'm running on Windows Vista RTM as an administrator.
    The certificate has been crafted with makecert for developing purposes.
    I'm getting error 1312 while registering it to whatever ip/port.
    I need this certificate to authenticate a WCF metadata exchange through https.
    I tried to logon myself using "net use" but nothing seem to happen
    even when "net session" command states a session actually exists.
    I'm getting confused since i should be already logged -_- as an administrator.
    I'm googling around, i've found other ppl posting on forums they're
    experiencing the same problem without solutions.
    I tried to set an ssl cert on windows XP i've on the other partition and
    things works as expected using httpconfig.exe. But on Vista nothing works.
    If you need more details about my environment just ask for them.

    Thank you for help.
    Friday, January 5, 2007 12:48 AM

Answers

  •  Marzullo wrote:
    Here are the commands i used with makecert for making 2 certificates.
    A self signed root trusted CA and a server certificate signed by it.

    makecert -n "CN=RootTrustedCA" -r -sv RootTrustedCA.pvk RootTrustedCA.cer
    makecert -sv Server.pvk -n "CN=Server" -iv RootTrustedCA.pvk -ic RootTrustedCA.cer -e 01/01/2008 Server.cer

    RootTrustedCA.cer is installed inside Trusted Root Certificate Authorities store.
    Server.cer is installed inside Personal store.

    In case it helps.



    I solved the issue after an afternoon of tries.
    The 1312 error was completely hijacking my mind from the real issue.

    The problem was i hadn't a private key associated with my certificate.
    When you open the certificate, these is a message saying you there is a private
    key associated with your certificate. Even the certificate icon shows a little key.

    Using filemon i discovered the private key container is located here: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
    There, there is a file per certificate which contains key pairs, and when u delete a certificate
    that file remains (why? -_- it should be deleted too). I didn't find any documentation about key containers and, maybe, they're left intentionally secret by MS, but it's just a guess.

    Here are the improved makecert commands i used to make things work:

    makecert -sk testRootCA -sky signature -sr localmachine -n "CN=RootTrustedCA" -ss TRUST -r RootTrustedCA.cer
    makecert -sk testServer -ss MY -sky exchange -sr localmachine -n "CN=Server" -ic RootTrustedCA.cer -is TRUST -e 01/01/2008 Server.cer

    RootTrustedCA.cer is a self signed certificate which signs Server.cer.
    Now everything works but still i've a doubt:
    How could i know that MY is the Personal folder and TRUST is the Enterprise Trust folder inside mmc certificate snap in? where are those names documented? What are the store names of other folders? These are folders i actually see.

    In order to guess names i had to resort on my intuition :-|

    I think i little more documentation should be wrote about makecert since sometimes
    google is more usefull than msdn :-\.
    Thanks for help.
    Thursday, January 11, 2007 6:07 PM

All replies

  • Sajay i tried the entire command too without entering into "netsh http" subprompt.
    I posted it in the other thread but, since we're continuing discussion here i'll quote it here too.

     Marzullo wrote:
    The problem is i would like to see your message too:
    SSL Certificate successfully added.
    Instead this is what i'm experiencing and there i've posted my situation.
    The problem still exists.


    Click in the "this" link. Obviously the certificate thumbprint is different but the rest is identic.

    Ah, and lastly, i tried the free Steve gui tool for setting certificates. Since that gui tool is calling the same http API the command line tool netsh is exposing, in that software the function returns the same 1312 error shown in a well formed exception message box provided by Steve gui.
    So the root problem is this function is returning us 1312 without an apparent reason.

    At the present time it's about 1-2 weeks i'm continuing my develompment without solving this issue even after posting and googling all around the net, nobody solved it, and i'm running on the last Vista release too. I hope some day someone will solve it :-). I've read about ppl experiencing this issues on RC1/2 and beta releases too.

    Thank you for help.
    Saturday, January 6, 2007 2:01 PM
  • In the mean while can you just try setting the cert on IIS through the IIS management console.
    Sunday, January 7, 2007 9:58 PM
  •  Sajay - MSFT wrote:
    In the mean while can you just try setting the cert on IIS through the IIS management console.


    As soon as i find some time off work i'll try it.
    Tuesday, January 9, 2007 8:34 AM
  • Using IIS 7.0 i wasn't allowed to add the certificate.
    But i havn't an explicit message.
    Although the certificate has been imported correctly, it doesn't appear inside the selectable list, look at this screen.
    This sound a little strange also becouse if i switch to another panel and back to server certificate, the certificate imported disappear from the GUI and i've to import it again and again... All this behaviours happens without any explanation message. This seems a bug. Even if i import that server certificate, it seems iis discards it :*(
    If i try with a self signed certificate it doesn't disappear from GUI and i'm able to bind it correctly.

    ...
    Wednesday, January 10, 2007 12:04 PM
  • You could see this error message when the certificate does not exist or is not in the LocalMachine store. Can you double check the certificate? It should also have a private key.
    Wednesday, January 10, 2007 5:32 PM
  •  Hao Xu - MSFT wrote:
    You could see this error message when the certificate does not exist or is not in the LocalMachine store. Can you double check the certificate? It should also have a private key.


    If i double click on the certificate a dialog box appear describing me its properties likewise inside IE. I created it with makecert for testing purposes and yes i've my private key in the same directory as a .pvk file password protected. I think it is installed in my certificate store becouse i can see it inside certificate snap-in inside mmc. It's stored inside "Personal" store.
    Is that what you meant? I manually imported that certificates inside mmc.
    Wednesday, January 10, 2007 5:48 PM
  • Here are the commands i used with makecert for making 2 certificates.
    A self signed root trusted CA and a server certificate signed by it.

    makecert -n "CN=RootTrustedCA" -r -sv RootTrustedCA.pvk RootTrustedCA.cer
    makecert -sv Server.pvk -n "CN=Server" -iv RootTrustedCA.pvk -ic RootTrustedCA.cer -e 01/01/2008 Server.cer

    RootTrustedCA.cer is installed inside Trusted Root Certificate Authorities store.
    Server.cer is installed inside Personal store.

    In case it helps.

    Wednesday, January 10, 2007 6:41 PM
  •  Marzullo wrote:
    Here are the commands i used with makecert for making 2 certificates.
    A self signed root trusted CA and a server certificate signed by it.

    makecert -n "CN=RootTrustedCA" -r -sv RootTrustedCA.pvk RootTrustedCA.cer
    makecert -sv Server.pvk -n "CN=Server" -iv RootTrustedCA.pvk -ic RootTrustedCA.cer -e 01/01/2008 Server.cer

    RootTrustedCA.cer is installed inside Trusted Root Certificate Authorities store.
    Server.cer is installed inside Personal store.

    In case it helps.



    I solved the issue after an afternoon of tries.
    The 1312 error was completely hijacking my mind from the real issue.

    The problem was i hadn't a private key associated with my certificate.
    When you open the certificate, these is a message saying you there is a private
    key associated with your certificate. Even the certificate icon shows a little key.

    Using filemon i discovered the private key container is located here: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
    There, there is a file per certificate which contains key pairs, and when u delete a certificate
    that file remains (why? -_- it should be deleted too). I didn't find any documentation about key containers and, maybe, they're left intentionally secret by MS, but it's just a guess.

    Here are the improved makecert commands i used to make things work:

    makecert -sk testRootCA -sky signature -sr localmachine -n "CN=RootTrustedCA" -ss TRUST -r RootTrustedCA.cer
    makecert -sk testServer -ss MY -sky exchange -sr localmachine -n "CN=Server" -ic RootTrustedCA.cer -is TRUST -e 01/01/2008 Server.cer

    RootTrustedCA.cer is a self signed certificate which signs Server.cer.
    Now everything works but still i've a doubt:
    How could i know that MY is the Personal folder and TRUST is the Enterprise Trust folder inside mmc certificate snap in? where are those names documented? What are the store names of other folders? These are folders i actually see.

    In order to guess names i had to resort on my intuition :-|

    I think i little more documentation should be wrote about makecert since sometimes
    google is more usefull than msdn :-\.
    Thanks for help.
    Thursday, January 11, 2007 6:07 PM
  • And now IIS 7.0 is not wiping my certificate from GUI anymore. -_-
    I can import it and use it successfully.
    IIS 7.0 was just saying "ok there is no private key associated with this certificate, let's wipe it from gui" without inform user who was right thinking the private key was inside a .pvk file...

    Thursday, January 11, 2007 6:18 PM
  • Glad to know that you solved the problem. The error message from "netsh http" is unfortunate. The IIS 7.0 tool could have been more user friendly. I'll see how I can help improve this.

    BTW, I had the same question about MY vs Personal. I haven't found an explanation either.

    Friday, January 12, 2007 6:19 AM
  • I think this post should be feedbacked to HTTP.SYS / IIS 7.0 developers if there is a way to do it.

    So see you next issue ^_^.
    Friday, January 12, 2007 6:30 AM
  • I hit the netsh http add sslcert issue mentioned on the previous thread as well

     

    SSL Certificate add failed, Error: 1312

    A specified logon session does not exist.  It may already have been terminated.

     

    and can confirm it's related to the private key being inaccessible or in a bad state.  I'm trying for a better error message.

    Tuesday, October 23, 2007 5:32 PM
  •  Marzullo wrote:


    makecert -sk testRootCA -sky signature -sr localmachine -n "CN=RootTrustedCA" -ss TRUST -r RootTrustedCA.cer
    makecert -sk testServer -ss MY -sky exchange -sr localmachine -n "CN=Server" -ic RootTrustedCA.cer -is TRUST -e 01/01/2008 Server.cer

     

    Here is my problem...I have NO experience with SSL or Cert Server, but am trying to get an SSTP VPN setup.  My question is this...we already have a CA Server setup with IIS 6.  However, the SSTP VPN server obviously must run IIS7.  So I'm running into an issue with getting the certificates to match up.  I think I have created the domain certificate correctly from the VPN server per this post:

     

    http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part2.html

     

    I went through several iterations of this cert, and initially the problem was that the wrong SSL cert was bound to the SSL listener.  I finally fixed that and was able to get further in the connection process, but in looking the client event log I get this error:

    ____________

     

    The SSTP-based VPN connection to the remote access server was terminated because of a security check failure. Security settings on the remote access server do not match settings on this computer. Contact the system administrator of the remote access server and relay the following information:

     

    SHA1 Certificate Hash: <Thumbprint from the newly requested domain certificate mentioned above>

    SHA256 Certificate Hash:

    ____________

     

    In playing around with the Cert Store on the client, I found that it wants to use the certificate from the CA Server that I'm assuming it received during auto enrollment to the Domain.  If I move it out of the Trusted store, I never get an authentication message like "Verifying username and password" and/or "Registering your computer on the network"...which I do if it is left alone.

     

    So, I went back and exported the CA Cert with the private key, but I cannot bind it to the listener...I get the 1312 error.  However, I'm almost positive that the NEWLY created certificate HAS to be the one bound there...since it contains the CN info that clients use to connect to an SSTP VPN.  If I bind the original CA Cert, the CN data will not match.

     

    Basically, I'm stuck now.  We have a mix of clients that are and are NOT members of the domain, but need to get SSTP working.  I have been through the guide linked to above and the "Step By Step" guide available from Microsoft, but have had no luck.

     

    Can anyone help?

     

    If I were to use the commands above...which server names do I insert where?  If "VPN" is the SSTP server, and "CA" is the domain controller with IIS6 and CertServer...will these commads work?

     

    Regards,

     

    Matthew

    Tuesday, July 15, 2008 3:36 PM
  • Solved it for myself. Enjoy if it works for you.

    makecert -r -pe -n "CN=<yourhostname>" -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 <filename>.cer

    Install this from MMC using Administrator privileges from the Local Computer version of certificate view. Install into Trusted Root Certificate Authorities. Don't muck with it after that. MS will copy it to a few places from there and do some magic.

    Both HTTPAPI.DLL routines and netsh work with this certificate configuration.

    netsh http>delete sslcert ipport=192.168.2.2:6000

    SSL Certificate successfully deleted

    Then I switched up the IP address and tried again.

    netsh http>add sslcert ipport=192.168.2.3:6000 certhash=92e100084e7a2ed62b5fffee
    7eab6c0912089672 appid={2bb50d9c-7f6a-4d6f-873d-5aee7fb43291}

    SSL Certificate successfully added

    Working version of this now using HTTPSYS API. Configuration and use of the socket after this configuration. My system 64-bit Vista Premium, 64 bit quad core. Done without Microsoft.Web.Administration.dll.

    Sunday, October 18, 2009 6:38 PM