[thelist] Setting up https:// on IIS 5 tutorial

Ken Schaefer ken.schaefer at gmail.com
Thu Aug 12 20:16:52 CDT 2004


On Thu, 12 Aug 2004 08:48:50 -0500, Rob Smith <rob.smith at thermon.com> wrote:
> > >http://support.microsoft.com/?id=299525
> > >How To Set Up SSL Using IIS 5.0 and Certificate Server 2.0
> >
> > Thanks. This was the source of one of my problems actually. When I
> received
> > the real certificates from VeriSign and stopped using my home grown, the
> > Certificate Services service threw errors
> 
> Huh? You install the certificate into IIS, or into the server's
> certificate store (depending on what type of cert it is). What does
> Certificate Services have to do with this process? Perhaps you can
> give us more information about the actual problem you are facing. What
> you describe doesn't really make a lot of sense to me :-)
> </previous snip>
> 
> When I used and installed Certificate Services on my 2k Server, I had
> created two certificates. I installed them as being my own certificate
> authority as a test for https sites. When I received the real certs from
> VeriSign I didn't need my home grown certs anymore. And deleted them.
> Certificate Services still thought it had issued certificates but when it
> didn't find them, it threw errors and stopped the Certificate Services
> service.

>From where I'm sitting, this isn't making any more sense.

The normal order of things:
a) you create a certificate request on the webserver (IIS provide a
wizard for doing this)
b) you submit cert request to CA server (in this case MS Certificate Services).
c) the CA issues the certificate
d) you install the issued certificate into the webserver (IIS provides
a wizard for doing this).

The CA has *no idea* whether the cert has been deployed or not, or
whether it'd being used or not.

You say "I created two certificates. I installed them as being my own
certificate
authority as a test for https sites" - the certificate authority (CA)
is the Certificate Services. It has its own root CA cert. You issue
server identification certificates to IIS for use with SSL. The
sentence above, as written, does not make a lot of sense.

To remove the certificate, you use the same wizard in IIS. Again, the
CA has *no idea* whether you've done this or not.

So, how does "deleting a certificate" (presumably on the webserver, so
you could install your Verisign certs) affect Certificate Services?
The only way I can think of is that you deleted something else,
somewhere else. But hey, if you don't want to share - you don't have
to. But if you're getting errors, and you want to know why and learn
something, then it helps to say:
a) this is what I did
b) these are the errors I'm getting

Setting up your own PKI is not always a trivial matter, and a good
understanding of PKI helps to make sure you're not doing something
dumb (since doing most types of things are usually irrevocable).

If you want useful help with issues, then you can do far worse than
say: "I'm not really sure what I'm doing. I did:
a) exact step 1
b) exact step 2
c) exact step 3
Now I am getting error:
a) this error

I tried doing:
a) exact step 4
and now I'm getting
a) this new error

What's going on? How do I fix the issue?"

> When I tried to find what was causing the ruckus, the only help files
> available on the net where on ISA. We don't do that here.

You couldn't find help on Certificate Services? There is this:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_CS_welcome.asp

(it's also in the online help on your server OS)

> Certificate Services service gets installed when you add the Certificate
> Services windows component.

Yes - I'm well aware of that. There's a whole chapter on securing Cert
Services in my IIS 6.0 book. I do know a bit about how certificate
services works, and about PKI in general, which is why I'm trying to
find out what your situation is, and perhaps provide some guidance
about where you can go from here.

However, as you say, you've "solved" the issue. 

Cheers
Ken


More information about the thelist mailing list