Title: IIS and CA in 2000
Yes, I
did install as a Stand Alone Root CA. From what I have read you cannot use
Enterprise for Internet issued certs, just domain stuff. I have it up and
running now. I also figured out a work around for the Security Alert I mentioned
earlier. I was under the assumption that viewing and installing the cert on
first access to the site would write the cert in your local cert database. It
wasn't doing that. So I went to the certsrv page and request a cert that way and
it actually installed the cert in the local cert database. The error went away.
I have set the site to require a cert on access or access will be denied, so you
have to go request a cert the way I mentioned above to access the site so this
kind of took care of the security alert problem. That also is working well. I
was wonder if there is a way to pass a cert name via the url line to tell it
what cert to use to access the site versus having to answer the browser on every
access. Now it comes up on access and asks what cert do you want and you have to
select the appropriate cert and hit ok. This may not be possible but I was
thinking along the lines of how you do port assignments. Ex. https://111.111.111.111:80. By the
way, I re-installed q301625 after un-installing/re-installing certificate
services and it didn't hose out cert services again?? Go figure!! My virtual
cersrv directory apparently held its associations to the certsrv directory this
time.
Thanks,
SS
Shannon,
Adil is right - W2K will complain if something
goes wrong - usually only the result of crap application install programs
or determined manual messing around.
Can you check if your CA is in the Trusted Root
list - should be already if you installed CA as a stand-alone
(IE\Tools\Internet Options\Content\Certificates - "Trusted Root Certification
Authorities")
I assume you did install as a Stand-alone
CA?
Chris Shattock
----- Original Message -----
Sent: Wednesday, September 26, 2001
3:35 PM
Subject: RE: IIS and CA in 2000
Thanks Chris. I am going to give that a look. I am a little
confused as to whether I need to re-install the q301625 after (first)
un-installing/re-installing Certificate Services and (second) W2K SP 2. I
have always been told that a good rule of thumb is if you have to
insert the W2K Server install CD and it copies files from it you need
to re-install the latest Service pack. I am not sure if this is the case
with q301625. BTW, I had already un-installed and re-installed
Certificate Services/W2K SP2 before I got your reply. It is all back up
now. I am still having one issue that I need to deal with.
I am still getting the error "The security certificate was issued by a
company that you have not chosen to trust. View the certificate and to
determine whether you want to trust the certifying authority". I click view
the certificate, then I run the "Install Certificate" and it imports and
installs successfully, but I still get the security alert each time I exit
Internet Explorer and restart Internet Explorer to access the site.
Sorry to keep hitting you with questions. I really
appreciate your help with this issue. It has been very
useful.
SS
-----Original
Message-----
From: Chris Shattock
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 26, 2001
7:03 AM
To: NT System Admin Issues
Subject: Re: IIS and
CA in 2000
No I wasn't. Yes I am now: Following apply it
appears that the patch removed the CertSrv virtual directory from
localhost - these things are sent to amuse us. Just re-create a virtual
directory called CertSrv and point it to the certsrv subdirectory of
%systempath%\system32\certsrv.
Of course your machine is probably hugely
different from mine (which will be rebuilt this weekend it is so screwed
up) that you may have other issues. Firstly check to see if the
localhost\CertSrv is still there.
Chris Shattock
----- Original Message -----
Sent: Wednesday, September 26, 2001
2:12 PM
Subject: RE: IIS and CA in
2000
I just crashed my Certificate Service. I installed WS's latest
cumulative IIS patch (q301625) to tighten IIS back up and the
certificate service will not start now. I am going to re-install the W2K
SP2 and see if that fixes it. If not I guess I will have to
remove/re-install certificate services. Are you running
the q301625 patch mentioned above?
SS
Check my earlier reply for port# - if you
have all defaults forget it - just default to 80.
Personally I don't read that much - this
and other things I find out by trying - consequently I end up
rebuilding my server every 3 weeks or so - but each time I do it goes
quicker (after re-installing W2KS and AS x times since
1998!).
I have found a self-certified CA to be
very usefule for devolpment and testing out multiple IP-less hosting
with different SSL's and Exchange etc. - they're all done the same
way. So have some fun!
----- Original Message -----
Sent: Wednesday, September 26,
2001 1:02 PM
Subject: RE: IIS and CA in
2000
Man, that was dead on!! After posting yesterday evening, I
finally came across an article that explained this. This info
was not the easiest to find. The only difference in the article from
your info was how to access the local host. They are suggesting http://localhost/certsrv . This
seemed to work. They did not mention the port #. I am going to have
to go back through it and see if I can find the option for Web
server. I don't recall seeing that. My next task is getting rid of
the errors for stuff not matching. Thanks a million for the
info.
Have a good one,
SS
I'll assume that you have already
generated and saved the certificate request file (say certreq.txt)
from IIS. Form there:
Select Request a Certificate - hit
Next
Select Advanced Request - hit
Next
Select the second option: "Submit a
certificate request using a base 64..." - hit Next
Copy and Paste the entire contents of
your certreq.txt file into the "Saved Request" text field. On the
Certificate Template drop-down select "Web Server" and hit
Submit.
If your CA is appropriately set-up
you can on the next screen download and save the DER (or Base 64)
encoded certificate - which can then be picked up by the IIS
Assign Server Certificate Wizard. If not: you need to start the CA
Management Console and manually issue the certificate request by
right-clicking the request in the Pending List - you can then use
http://localhost:91/CertSrv/default.asp to
'pick-up' and save the certificate from the server (or export it
manually from the CA Management Console).
In IIS when you 're-start' the Wizard
just give it the name/location of the .cer file that was generated
containing the encoded certificate.
Chris Shattock
----- Original Message -----
Sent: Wednesday, September
26, 2001 1:10 AM
Subject: IIS and CA in
2000
I am not sure if this is an
appropriate question for this list, but here it goes.
I have a W2K SP2 server
running IIS 5.0 and have installed Certificate Services in Stand
Alone mode (because I want to issue certificates over the
internet). I am trying to get the default website up and running
SSL. The site functions properly until I invoke the SSL. My
question is how do I "bind" a certificate to the site? I have
used Verisign in the past and I just send them my file and they
send back a new file to install on the site. I can not figure
out how to do this with MS's Certificate Authority. I have never
seen the process from a Verisign stand point and this is where I
am stuck. I have read numerous articles on how to do this and
they all seem to tell me how to install Certificate Services and
stop there.
Thanks,
SS Want to unsub? Do that
here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Want
to unsub? Do that
here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Want
to unsub? Do that
here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Want
to unsub? Do that
here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Want
to unsub? Do that
here:
http://lyris.sunbelt-software.com/scripts/lyris.pl?enter=ntsysadmin&text_mode=0&lang=english
Want
to unsub? Do that
here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try
this one first:
http://www.ultratech-llc.com/KB/
Want to
unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a
good FAQ? Try this one
first:
http://www.ultratech-llc.com/KB/
Want to unsub? Do
that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ?
Try this one
first:
http://www.ultratech-llc.com/KB/
Want to unsub? Do that here:
http://www.w2knews.com/rd/rd.cfm?id=unsub
Need a good FAQ? Try this one first:
http://www.ultratech-llc.com/KB/
|
