Hi Ken, I replied that the SSL Diagnostic showed that the verisign Certs had no private key, as did the internal corp CA issued one. and that I believed this was because we were breaking the CCR request due to trying to keep the site running by generating the CCR and the reapplying the old cert.
Next step is to arrange a time with corporate to take the cert off, generate CCR and leave the site down until I can get the new cert and finish the request process. Graeme On Saturday, 30 June 2012, Ken Schaefer wrote: > “We tried the SSL Diagnositcs (sic)”**** > > ** ** > > And the result was?**** > > ** ** > > when you use IIS to generate a CCR, if you cancel the request on the IIS > server after the CCR has been sent to the registrar so you can install a > certificate just to get the site back working, does that invalidate the CCR > generated certs?**** > > ** ** > > If you do this, you lose the matching private key – your newly received > certificate will not work**** > > ** ** > > FYI the internal CA ones cant validate the DNS domain that the site is > accessed on.**** > > ** ** > > This doesn’t even make sense. Can you think of a different way of > explaining this? Or posting the actual configuration you are using and > error(s) that you are seeing?**** > > ** ** > > As requested before, did you look in the Windows Event Logs and the > httperr.log files?**** > > ** ** > > Cheers**** > > Ken**** > > ** ** > > ** ** > > *From:* Graeme Carstairs [mailto:[email protected] <javascript:_e({}, > 'cvml', '[email protected]');>] > *Sent:* Saturday, 30 June 2012 5:28 AM > *To:* NT System Admin Issues > *Subject:* Re: Weird SSL issues on existing IIS6 WSS 3 site**** > > ** ** > > Hi We tried the SSL Diagnositcs.**** > > ** ** > > The Verisign ones have no private key, so I have passed back to corporate > to resolve this issue, along with a new CCR**** > > ** ** > > I ahve a question **** > > ** ** > > when you use IIS to generate a CCR, if you cancel the request on the IIS > server after the CCR has been sent to the registrar so you can install a > certificate just to get the site back working, does that invalidate the CCR > generated certs?**** > > ** ** > > FYI the internal CA ones cant validate the DNS domain that the site is > accessed on.**** > > ** ** > > Thanks guys **** > > ** ** > > hopefully the Cert guy at corporate can resolve this.**** > > ** ** > > graeme**** > > ** ** > > ** ** > > ** ** > > On 29 June 2012 15:07, Brian Hintz <[email protected] <javascript:_e({}, > 'cvml', '[email protected]');>> wrote:**** > > Check out the SSL Diagnostics tools from MS:**** > > 32-bit – > http://www.microsoft.com/download/en/details.aspx?id=674<http://www.microsoft.com/download/en/details.aspx?id=674> > 64bit – > http://www.microsoft.com/download/en/confirmation.aspx?id=5329<http://www.microsoft.com/download/en/confirmation.aspx?id=5329> > **** > > ** ** > > On Fri, Jun 29, 2012 at 5:44 AM, Graeme Carstairs > <[email protected]<javascript:_e({}, 'cvml', '[email protected]');>> > wrote:**** > > Hi There,**** > > ** ** > > One of our customers had a public facing WSS 3 site secured witha go daddy > SSL.**** > > ** ** > > they were bought over by another company and since then the wSS has no > longer been public facing but is still entirely SSL.**** > > ** ** > > The SSL has been expired for 2 months now as we are going through parent > company process of getting a new SSL issued.**** > > ** ** > > They initially issued us with on of the Enterprise CA, then a $150 > verisign one and we have noe been issues a $600 verisign one.**** > > ** ** > > The problem is**** > > ** ** > > Import the certificate VIA Cerificates MMC, it checks out and can be > viewed as a valid cert. and assign to the website in ISS.**** > > ** ** > > ** ** > > Immediately the site stops working,**** > > ** ** > > IE shows a Could not display the page rror (no muber) Chrome gives a 107 > SSL protocol Error.**** > > ** ** > > Using fiddler to monitor the traffic flow, and its a 107 error it shows as > the only response.**** > > ** ** > > Replace the new cert with the old expired one and straight away the sites > working (with cert expired error) but still working.**** > > ** ** > > Any one got any suggestions as to what may be casuing this.**** > > ** ** > > Thanks**** > > ** ** > > graeme**** > > ** ** > > > **** > > ** ** > > -- > Good news everyone, you have just received an e-mail from me!**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected]<javascript:_e({}, > 'cvml', '[email protected]');> > with the body: unsubscribe ntsysadmin**** > > ** ** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected]<javascript:_e({}, > 'cvml', '[email protected]');> > with the body: unsubscribe ntsysadmin**** > > > > **** > > ** ** > > -- > Good news everyone, you have just received an e-mail from me!**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected]<javascript:_e({}, > 'cvml', '[email protected]');> > with the body: unsubscribe ntsysadmin**** > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected]<javascript:_e({}, > 'cvml', '[email protected]');> > with the body: unsubscribe ntsysadmin > -- Good news everyone, you have just received an e-mail from me! ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
