none
Security API Function CertCreateSelfSignedCertificate Cannot be Used to Create A Valid SSL Certificate (per the likes of SelfSSL) RRS feed

  • Question

  • Does anyone know the secret of creating a self-signed certificate with Security API function CertCreateSelfSignedCertificate that wil work as an SSL certificate in IIS (versions 5 or 6)?

    I created scores of self-signed certificates with the API function which were perfectly valid in other contexts, but all were (apparently) invalid SSL certificates (none worked to SSL enable IIS).  I then discovered SelfSSL, and to my amazement, it created simple self-signed certs which worked for SSL in IIS, which were identical in most respects to those I created with API function.  I then specifically created certs which were identical in every way to those of SelfSSL (key sizes, names, extensions, properties).  Again, to my amazement, certs created with the API function failed to SSL enable IIS.

    Is the creation of a self-signed, SSL certificate for IIS a closely guarded secret?
    • Moved by Hengzhe Li Tuesday, June 21, 2011 12:14 PM Forum Consolidate (From:Microsoft Security Development Lifecycle (SDL) - Threat Modeling)
    Tuesday, May 26, 2009 5:53 PM

Answers

  • This really isn't the forum for this question. You should ask in the IIS forums over at www.iis.net.

    With that said, please remember that for a cert to be used and trusted in IIS, the root CA must be trusted (LocalMachine/TrustedRootCA) and that you use AT_KEYEXCHANGE and NOT AT_SIGNATURE when calling CertCreateSelfSignedCertificate() that all the MSDN examples show. Without the key exchange keyspec, IIS won't allow it to function.

    I wish I could take credit for this and say I knew this off the top of my head. But honestly, I just took 2 minutes and googled your question. The answer is right there.

    Creating self-signed SSL certs is in no way a closely guarded secret. If you are unsure, consider asking the folks in the IIS forums, or consider calling SelfSSL.exe directly.

    Hope that helps. Good luck.

    Tuesday, May 26, 2009 8:53 PM

All replies

  • This really isn't the forum for this question. You should ask in the IIS forums over at www.iis.net.

    With that said, please remember that for a cert to be used and trusted in IIS, the root CA must be trusted (LocalMachine/TrustedRootCA) and that you use AT_KEYEXCHANGE and NOT AT_SIGNATURE when calling CertCreateSelfSignedCertificate() that all the MSDN examples show. Without the key exchange keyspec, IIS won't allow it to function.

    I wish I could take credit for this and say I knew this off the top of my head. But honestly, I just took 2 minutes and googled your question. The answer is right there.

    Creating self-signed SSL certs is in no way a closely guarded secret. If you are unsure, consider asking the folks in the IIS forums, or consider calling SelfSSL.exe directly.

    Hope that helps. Good luck.

    Tuesday, May 26, 2009 8:53 PM
  • I wish I could take credit for this and say I knew this off the top of my head. But honestly, I just took 2 minutes and googled your question. The answer is right there

    The answer is where?  Not in any documentation I've read, and certainly not in the Security API documentation.

    With all due respect, in the future, you might want to dispense with the disrespectful tone.   Your inference that it should have taken me two minutes to find the answer to a question with an apparently undocumented answer that took days isn't appreciated, nor merited.


    In any event, thanks for the reply, and the suggestion that I use AT_KEYEXCHANGE.


    Wednesday, May 27, 2009 3:24 PM
  • I apologize if you feel I was using a disrespectful tone. That wasn't the intent. My intent was to make it clear that if you would have spent any time googling this, you would have found the same results I did about using AT_KEYEXCHANGE.

    This isn't directed at you specifically, but it seems as of late many people find it easy to blast questions in these forums without doing the leg work themselves. In this particular case had you did a google search for "CertCreateSelfSignedCertificate +IIS6" you would have found the answer. It was the second link. And if you looked at the topics in this forum, you would find that this wasn't the appropriate place to ask the question.

    I hope the original answer was still useful to you though. If not, please feel free to ask in a more appropriate forum. If you find you get no satisfaction there, let me know and I will try to match you up with someone who has more experience and can better answer your question, or at least direct you in the right way.

    Good luck!
    Wednesday, May 27, 2009 3:53 PM
  • Mr/Ms Epp,

    My intent was to make it clear that if you would have spent any time googling this, you would have found the same results I did about using AT_KEYEXCHANGE.

    but it seems as of late many people find it easy to blast questions in these forums without doing the leg work themselves.


    Yet another inappropriate response.  I spent three days searching for the answer to this problem, and created a hundred or more certificates, and you happened to get lucky in finding the solution to this problem using a combination of search words I did not try, finding the one blog archive with the answer.  Thank you, but, regardless of whether the question was posed to the right forum or not, please don't lecture us on the use of Google in solving our difficult problems (I use MSDN to solve most of my difficult problems – how silly of me).  Better to recognize a legitimate submission and problem when you see it, and to facilitate improvement of the quality of documentation that led to the problem in the first place, rather than denigrate the submitter.

    Incidentally, your answer was derived from the blog archive of Keith Brown, author of Programming Windows Security, Addison Wesley, 6/30/2000. Keith is one of the foremost authorities on Windows Security in the Windows development community today.  Keith apparently had this problem first, and was unsure how to solve it in January of 2009 (that's 5 months ago).  In fact, the question Keith posed was in regards to a certificate creation utility that failed to create a valid SSL certificate, just as mine did.  That you found Keith's initial reference to this obscure problem was a minor miracle.

     

    Regards,

     

    Conrad Van Hyning

    Wednesday, May 27, 2009 5:47 PM