| |
| Answers: |
| ------------------------------------------------------------------------------------------------------- |
Do
I need to install all the certificates that I received? |
|
Yes, if you do not install all the received certificates you
will receive not trusted messages when you go to the secure
area of your web site.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
I
have accidentally deleted my "pending request" or
"private key" |
|
First check your backups and see if you can re-install the
"pending request" or "private key". If
you don't know how to re-install the key from your backups,
then contact your systems administrator. Failing that, contact
your server software vendor for technical support. The only
alternative course of action available is a re-issuance of
the certificate following the re-submitting of a replacement
CSR.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
I
am being told that my Certificate/Key is invalid |
There may not be a corresponding ‘private key’
or ‘pending request’ or the key that is found
is not the one that matches the certificates.
Back
To Top
|
------------------------------------------------------------------------------------------------------- |
Do
I need to use IP based hosting or Name based hosting? |
Name based hosting is rarely used in production environments.
IP based hosting should be used due to the way that the SSL
protocol works.
Back
To Top
|
------------------------------------------------------------------------------------------------------- |
I
get ‘The Page Cannot Be Displayed’ when going to
the HTTPS page |
Is the SSL port opened, this is usually port 443?
Is the firewall set to allow the SSL port through?
Has the server been rebooted?
Make sure ‘Use SSL 3.0’ is ticked in the web
browser options.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
I
get the message "There are secure and non-secure items
on the page? ------ Would you like
to proceed?" |
The error means that there are embedded objects or HTML tags
on the page that are not being called absolutely secure. For
example, a page that is loaded securely (HTTPS), and contains
an image tag within the source code such as IMG SRC =http://www.yyy.com/image.gif.
In this case the image is being called absolutely using the
non-secure (HTTP) protocol.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Can
I change the IP address? |
The certificate is not bound to any specific IP address. It
is bound to the fully qualified domain name such as www.austdomains.com
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
When
I access my secure site, a certificate for another site is displayed |
This problem occurs if you assign the same IP address to each
host in your config file. SSL does not support name based
virtual hosting (host headers are encrypted in SSL), so only
the first certificate listed in your config file will be sent.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Browsers
are saying that something is not trusted |
The Root Certificates and/or Intermediate Certificates may
not be installed correctly. This can be checked by clicking
on ‘View Certificates’ when you get the error
message and seeing if all three certificates are visible.
It may also be that the certificate being used is not for
the Fully Qualified Domain Name, check again using ‘View
Certificates’ to see if the domain name on the certificate
matches the domain name in the URL that you are going to.
Check your Internet Option’ and make sure that ‘Use
SSL 3.0’ is ticked in the ‘Advanced’ section.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Error:
"Schannel error = 80090304.Invalid Password" |
There are quite a few possible causes for this error, please
check each of the following below:
This error message can occur if you are
specifying 2 text files and not a text file and
a key file.
Usually the CSR and certificate are imported causing this
problem.
The CSR and certificate are both public key files.
You must use the backup of your private key (.key).
When installing a certificate in IIS you
need two files, a Private key file, which is in a .key file
format and a certificate file, which is a .txt (text) format.
This error message can occur due to a
bug in the schannel.dll file, which your server uses to
store the key passphrase.
You can download a corrected schannel.dll
file for NT.
Replace the schannel.dll on your IIS 3 server with this
one.
The fix is also included in the Service Pack.
This error can occur if you generated
your private key using ApacheSSL, and have transferred it
over to an IIS machine; you must covert the key to a format
IIS will understand, before you can import it. You will
get this error if you try to import a key
that Key Manager does not understand.
Follow the instructions below to convert
a private key from Apache to IIS below:
Locate ssleay/openssl binary.
It should be on your path. The following commands assume
that you can type "ssleay/openssl" directly. You
may have to prefix the command with the path to the binary,
or move the binary into your path, or update your path to
include the directory containing the ssleay/openssl binary.
Locate the key.
Find the correct key. For example a file called www.sitekeyfile.com.key.
Convert the key to NET format.
The following command is used to create a copy of the key
in "NET" format. You will have to give a passphrase
to read the key if you are creating encrypted keys. You
will then have to give a new passphrase to protect the new
NET format key. The following command should produce a new
key file in NET format:
ssleay/openssl rsa -in www.sitekeyfile.com.key -out www.site.com.iiskey
-outform NET
Copy the key and the certificate to a floppy disk.
Start key manager and import the key.
Open key manager and select the Key menu item.
Select Import, and choose to import from a keyset file.
When prompted for filenames, give the filename of the key
and the filename of the certificate on your floppy.
Click OK.
You will be prompted for a passphrase, this is the one for
the NET format.
Backup your private key immediately to a Microsoft Key Backup
file. Make a note of the passphrase you used to protect
the backup and store the backup in a safe place. You should
now have the key visible in your Key Manager, and you should
be able to configure the SSL on the IIS server.
This error message can also occur if you
are trying to install the certificate on the
wrong key.
Check any other keys you have in Key Manager, to see if
the certificate installs.
Your private key file can be found in Key Manager, under
the www service, represented graphically by a Key Icon.
This error message occurs if you
are using the incorrect password for the private key.
The password is case sensitive.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Error:
"CAPI2 error = 80093005. Invalid Certificate" |
There are a number of possible causes for this error
Make sure the certificate is in the correct format.
Check that the certificate starts with:
-----BEGIN CERTIFICATE-----
and also ends with
-----END CERTIFICATE-----
with no leading or trailing spaces before and after the Begin
and End lines.
When selecting "Install a Key Certificate", make
sure that you are specifying the correct path and filename
to the certificate file.
This error may also be caused by a bug in the Service Pack.
Follow these instructions to install the fix:
Download the Microsoft fix from the following URL:
http://support.microsoft.com/default.aspx?scid=KB;en-us;q194889
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Error:
"The certificate is invalid. Please double-check that you
have chosen --- the correct file.
CAPI2 error = 80093009" |
Make sure the certificate is in the
correct format.
Check that the certificate starts with:
-----BEGIN CERTIFICATE-----
and ends with
-----END CERTIFICATE-----
with no leading or trailing spaces
before and after the begin and end lines.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Error:
"Cannot install the certificate because it does not match
the
- certificate requested." |
There are three possible causes for this error, please check
each of the following below:
To install SSL you need to attach a Private key to a Public
Key (Certificate file), check if you are using the correct
files by doing the following:
Open the file you are using, and check
that it is not your certificate request file, which would
contain a -----BEGIN CERTIFICATE----- line.
You should be attaching a private key file to the certificate.
This file format is in a .key format (hexadecimal (binary)
format) and not a text format.
This error will also occur if you are
not attaching the certificate to the correct private key
file.
This error will also occur if you
have just recently renewed the Certificate and trying to
install the old Certificate on the new Key. The Renewed
Certificate can take up to 3 days to be issued.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Error:
'This page must be viewed over a secure channel' |
Microsoft IIS is configured to require a secure channel.
Un-check the box that says 'Require Secure Channel'
I get an intermittent server not found
message when trying to access my site.
If the web server is set to check
the Certificate Revocation List and the server is down,
this can cause a time-out of the operation.
This will not be the certificates, but something related
to the browser timing out on the operation.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
How
do I backup my private key file in IIS4? |
Go into Key manager within IIS4
Save the private key using the method: Key, Export Key, Backup
File.
The default format is a .key file.
Store the exported key in secure location like a disk. It
is important to make a copy of the private key that does not
reside on the actual server; in the event of a server crash.
If you forget the private key password you won't be able to
restore the private key.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Can
I import my ApacheSSL based key into MSIIS? |
You need to convert the private key to NET format, as follows:
openssl rsa -in server.key -out
serverkey.net -outform NET
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
How
to move a certificate from IIS 4.0 to Apache? |
Export a backup file of the Certificate from the Key Manager.
From the Key menu in Key Manager, choose Export Key and
then Backup File.
After reading the warning about downloading sensitive information
to your hard disk, click OK.
Type the key name in the File Name box, and click Save.
The file is given a *.key file-name extension and is saved
to a 3 1/2" disk on the a: drive or your hard disk
drive.
Store the back-up file on the hard drive AND off the server.
Find this string in the binary file: "private-key".
Trace back until you find this Hex value: "30 82".
Write from that position to a new file (tmp.bin).
With OpenSSL: ssleay rsa -inform NET -in tmp.bin -out key.pem.
Type in your password.
The file that is created is the private key. You will use
this key to install the certificate
into Apache.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
How
do I move my certificate/key pair from IIS 4 to IIS 5? |
First export the certificate from IIS 4/Windows NT.
From the Key menu in Key Manager, choose Export Key and then
Backup File.
After reading the warning about downloading sensitive information
to your hard disk, click OK.
Type the key name in the File Name box, and click Save. The
file is given a *.key file-name extension and is saved to
a 3 1/2" disk on the a: drive or your hard disk drive.
You can then import it into the new server.
Second install the backup file to Microsoft IIS 5.
Open Internet Services Manager, or the MMC containing the
Internet Information Services snap-in.
Expand Internet Information Services and browse to the Web
site you need to import the key to.
Right-click on the site and then click Properties.
Click the Directory Security tab.
Under the Secure Communications section, click Server Certificate.
Note: If the site already has a certificate assigned remove
the assigned certificate.
On the Web Site Certificate Wizard, click Next.
Select "Import a certificate from a Key Manager backup
file". Click Next.
Browse to Key Manager backup file. The backup file must have
a .key extension.
Type in the password that was entered when the key was created
using IIS 4/Windows NT.
The backup is now successfully installed.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Error:
"Improperly formatted DER message" |
Netscape implemented the existing standards at the time of
releasing Navigator 4.0, will crash when they see an unknown
data type.
Do not include any Unicode characters in the CSR file submitted
to us.
Unicode characters include:
! @ # $ % ^ * ( ) ~ ? > < & / \ : ; .
Port 443 must be enabled in two places in IIS4:
The first place that it must be enabled
is in key manager
Right click the key in key manager, Properties and put 443
as the SSL Port.
The second place to enable Port 443 is in IIS Directory
Properties
Right click the domain that is being secured, go into Properties,
Directory Security and
enable port 443 as the SSL Port.
Back
To Top
|
