EldoS | Feel safer!

Software components for data protection, secure storage and transfer

TElX509Certificate as IIS SSL certificate

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#3531
Posted: 08/10/2007 11:04:19
by Josh Edler (Basic support level)
Joined: 08/10/2007
Posts: 6

I am trying to use SecureBlackBox to generate a certificate that can be used by IIS for SSL connections. I'm using .NET 2.0/3.0. I downloaded the evaluation version yesterday (setup exe date/time is 5/13/2007 11:42pm).

I have the following code:
Code
                TName issuer = new TName();
                issuer.CommonName = "MyTest";

                TName subject = new TName();
                subject.CommonName = Dns.GetHostName();

                TElX509Certificate x509 = new TElX509Certificate();

                x509.SetIssuer(issuer);
                x509.SetSubject(subject);

                x509.ValidFrom = DateTime.UtcNow.AddDays(-1d);
                x509.ValidTo = new DateTime(2039, 12, 31, 23, 59, 59, DateTimeKind.Utc);

                x509.CAAvailable = false;

                int algorithm = SBUtils.__Global.SB_CERT_ALGORITHM_MD5_RSA_ENCRYPTION;
                int dwords = 1024 / 32;
                
                x509.Generate(algorithm, dwords);

                TElWinCertStorage storage = new TElWinCertStorage();
                storage.AccessType = TSBStorageAccessType.atLocalMachine;
                storage.Provider = TSBStorageProviderType.ptRSASchannel;
                storage.SystemStores.Add("My");
                storage.Add(x509, true);


A key is successfully created, and I can see it in the certificate store. I can add it to my default website using the IIS Manager control panel applet. However, it doesn't seem to be recognized properly. When I browse to my website using https, I get the standard "Internet Explorer cannot display the webpage" error message.

I can create a key using makecert:
C:\>makecert -r -n CN="MyHostName" -ss my -sr localmachine -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12

If I add this key to the IIS Manager applet, I can successfully browse my PC using https.

What am I missing?
#3534
Posted: 08/12/2007 02:00:57
by Eugene Mayevski (EldoS Corp.)

Did you try to compare the exact contents of the two certificates?
The certificate must have KeyUsage extension set properly, and probably some other extensions must be set as well.


Sincerely yours
Eugene Mayevski
#3535
Posted: 08/13/2007 12:17:35
by Josh Edler (Basic support level)
Joined: 08/10/2007
Posts: 6

Quote

Did you try to compare the exact contents of the two certificates?
The certificate must have KeyUsage extension set properly, and probably some other extensions must be set as well.


I did compare them as best I could, using certmgr and the debugger, and can see that the makecert key has one extension. Unfortunately, this process is painful mostly because I'm not sure what should be in the extension. I was hoping someone had a bit of insight as to the steps needed to properly create it.
#3536
Posted: 08/13/2007 12:49:31
by Eugene Mayevski (EldoS Corp.)

If you can create two test certificates, please post them here (only public part, of course) and we will do the comparison. The idea is that we check *your* certificates and see what's wrong (if anything) in your conditions.


Sincerely yours
Eugene Mayevski
#3543
Posted: 08/14/2007 14:34:37
by Josh Edler (Basic support level)
Joined: 08/10/2007
Posts: 6

I've attached the DER encoded exports of the two keys. Thanx in advance for any help!


[ Download ]
#3553
Posted: 08/15/2007 14:29:32
by Eugene Mayevski (EldoS Corp.)

Let's compare the differences.

1) Common names are different. The commonname for bad cert is CEDLERJOPC2 and not the host name.
2) Authority Key Identifier. This is a binary parameter that most likely doesn't matter.

So I think the problem is in the common name. Obviously, Dns.GetHostName(); doesn't produce a fully qualified name. This is the thing I though first of all when looking at your code.


Sincerely yours
Eugene Mayevski
#3569
Posted: 08/16/2007 08:06:12
by Josh Edler (Basic support level)
Joined: 08/10/2007
Posts: 6

I didn't change the common name because I found it hard to believe that the difference between a hostname and a fully qualified hostname was the problem. It was also easier to differentiate the good key from the bad.

I changed my test app and found that it still doesn't work. I've exported the new bad key and attached it.


[ Download ]
#3572
Posted: 08/16/2007 09:27:38
by Eugene Mayevski (EldoS Corp.)

Quote
Josh Edler wrote:
I didn't change the common name because I found it hard to believe that the difference between a hostname and a fully qualified hostname was the problem.


You see, if the host name is not specified correctly, then either the server or later the client will reject the certificate.

As for the main problem ... can it be that the certificate just can't be read / parsed correctly by the server? One would have to check this with IIS itself. What version of IIS and what version of OS are you trying with?


Sincerely yours
Eugene Mayevski
#3574
Posted: 08/16/2007 14:03:19
by Josh Edler (Basic support level)
Joined: 08/10/2007
Posts: 6

I have WinXP SP2. I believe that would make the version of IIS 5.1.
#3588
Posted: 08/17/2007 06:27:17
by Ken Ivanov (EldoS Corp.)

Please replace the following line:

storage.Add(x509, true);

with

storage.Add(x509, "MY", true, false, false);

IIS cannot use certificates imported with Protected option enabled. The Add(Certificate, CopyPrivateKey) method enables Protected option when certificate is imported, so IIS won't understand certificates imported in such way.

BTW, the following code is incorrect:
Code
                
  TName issuer = new TName();
  issuer.CommonName = "MyTest";
  TName subject = new TName();
  subject.CommonName = Dns.GetHostName();
  ...
  x509.CAAvailable = false;
  ...

Self-signed certificates MUST contain the same values for Issuer and Subject. If these values differ, the certificate will be considered invalid.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 6470 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!