Diagnosing SSL Problems and Importing Apache SSL Keys into IIS

Originally published November 16, 2005


While attempting to figure out the "right" way to take Apache SSL keys and convert them for use in IIS, I learned more than I ever wanted to know about SSL certificates.
Here is the benefit of that process for you as well as some great debugging tools.
First, you need openssl installed on your desktop. I got it here (a precompiled binary distribution):
Find a list of available distributions here:
Second, you need a command that takes the key/crt files and converts them to pkcs12 (which is the basis for the PFX format that Windows uses). Here is an example:

C:\OpenSSL\bin>openssl pkcs12 -export -out alta.p12 -inkey "y:\sslcerts\2005-alta-key.txt" -in "y:\sslcerts\2005-alta.txt"

The "-export" is very important. Windows will not use an SSL key that has not been marked exportable. If you get the certificate as attachments from an Apache installation, the private key will have a ".key" extension and the certificate itself will have a ".crt" extension. You must have both a certificate and a private key. (You can do a similar thing if you are provided the combined key and cert in DER or PEM/X.509 format -- it's covered in the openssl help file if you need that information.)
Third, you need to import the key into the Windows certificate store:
    a) Start -> Run -> mmc
    b) File -> Add/Remove Snap-In...
    c) Click "Add" on the "Add/Remove Snap-In" dialog
    d) Double-click "Certificates" on the "Add Standalone Snap-In" dialog
    e) Select "Computer Account" and then click "Next"
    f) Select "Local Computer" and then click "Finish"
    g) Click "Close" on the "Add Standalone Snap-In" dialog
    h) Click "OK" on the "Add/Remove Snap-In" dialog
    i) Expand "Certificates (Local Computer)" in the main MMC window
    j) Expand "Personal" and then select "Certificates" beneath the "Personal" node
    k) Right-click on the selected "Certificates" node and then select All Tasks -> Import
    l) Click "Next" on the Certificate Import Wizard
    m) Browse to locate the file created by openssl ("alta.p12" in the above example) and then click "Next"
    n) Enter a password for the certificate and check the box for "Mark this key as exportable" and then click "Next"
    o) Verify that "Place all certificates in the following store" and "Personal" are selected and then click "Next"
    p) Click "Finish"
    q) Close the MMC
Fourth, you need to assign the certificate to a website.
    Note: you typically need to have selected a new IP address and assigned it to the webserver prior to this step
    a) Start -> Administrative Tools -> IIS Manager
    b) Expand "<server-name> (local computer)" and then expand "Web Sites"
    c) Right-click on the relevant website and select "Properties"
    d) Click on the "Directory Security" tab
    e) Click the "Server Certificate" button
    f) Click "Next" on the Web Server Certificate button
    g) Select "Assign an Existing Certificate" and then click "Next"
    h) Select the certificate you loaded in the prior step and then click "Next"
    i) Click "Next" (443 should be pre-filled, and you do not want to change this value)
    j) Verify the information on the "Certificate Summary" window and then click "Next"
    k) Click "Finish"
    l) Close IIS Manager
Now, you should be done. Note, however:
1) A mismatched private key and certificate will still allow you to generate the pkcs12 file. However, once you've loaded the certificate into Windows, and view the certificate, you will receive one of two indications that a problem exists:
    a) It will say "a mismatch exists between the certificate and private key in this certificate", or
    b) It will not say anything, where it should say: "You have a private key that corresponds to this certificate"
2) It is possible to get Windows to generate pretty decent debugging information, but it takes a reboot. See KB 260729:
The value you want to use for the EventLogging registry value is 7 to get maximum information. After you are done, you really want to set it back to 1, as it slows down SSL processing significantly to do this logging. And this does work for Windows Server 2003, even thought that isn't mentioned.
3) A pretty easy way to check whether a cert has been loaded properly and generated properly is to get "checkcert" from Steve Johnson's blog:
4) Microsoft has a diagnostics tool named SSL Diag that generates a temporary self-signed certificate to help see if the certificate is the problem, or if it is something else. It also has a fair bit of just "interesting" information.
Enjoy your SSL debugging!
Published Tuesday, November 13, 2007 8:19 PM by michael
Filed under: ,


No Comments