| |
| Answers: |
| ------------------------------------------------------------------------------------------------------- |
How to troubleshoot problems
accessing secure Web pages with Internet ------
Explorer 6 Service Pack 2
|
|
After you upgrade to Microsoft Internet Explorer 6.0 Service
Pack 2 (SP2) in Microsoft Windows XP SP2, some SSL-secured
(128-Bit) Web pages and Web sites may not work correctly.
Frequently, this behaviour is caused by security changes in
Windows XP SP2. To determine why the pages do not display
correctly, use the following methods in the order that they
are presented.
http://support.microsoft.com/default.aspx?kbid=870700&product=windowsxpsp2
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Do I need to install all the certificates
that I received? |
|
Yes, if you do not install all the received certificates you
will receive not trusted messages when you go to the secure
area of your web site.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
I have accidentally deleted my "pending request" or
"private key" |
First check your backups and see if you can re-install the
"pending request" or "private key". If
you don't know how to re-install the key from your backups,
then contact your systems administrator. Failing that, contact
your server software vendor for technical support. The only
alternative course of action available is a re-issuance of
the certificate following the re-submitting of a replacement
CSR.
Back
To Top
|
------------------------------------------------------------------------------------------------------- |
I am being told that my Certificate/Key is invalid |
There may not be a corresponding 'private key' or 'pending
request' or the key that is found is not the one that matches
the certificates.
Back
To Top
|
------------------------------------------------------------------------------------------------------- |
Do I need to use IP based hosting or Name based
hosting? |
Name based hosting is rarely used in production environments.
IP based hosting should be used due to the way that the SSL
protocol works.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
I get 'The
Page Cannot Be Displayed' when going to the HTTPS page |
Is the SSL port opened, this is usually port 443.
Is the firewall set to allow the SSL port through.
Has the server been rebooted
Make sure 'Use SSL 3.0' is ticked in the web browser options.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
I get the message
"There are secure and non-secure items on the page? ------
Would you like to proceed?" |
The error means that there are embedded objects or HTML tags
on the page that are not being called absolutely secure. For
example, a page that is loaded securely (HTTPS), and contains
an image tag within the source code such as IMG SRC =http://www.yyy.com/image.gif.
In this case the image is being called absolutely using the
non-secure (HTTP) protocol.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Can I change the IP address? |
The certificate is not bound to any specific IP address. It
is bound to the fully qualified domain name such as www.austdomains.com.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
When I access my secure site, a certificate for
another site is displayed |
This problem occurs if you assign the same IP address to each
host in your config file. SSL does not support name based
virtual hosting (host headers are encrypted in SSL), so only
the first certificate listed in your config file will be sent.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Browsers are saying that something is not trusted |
The Root Certificates and/or Intermediate Certificates may
not be installed correctly. This can be checked by clicking
on 'View Certificates' when you get the error message and
seeing if all three certificates are visible.
It may also be that the certificate being used is not for
the Fully Qualified Domain Name, check again using 'View Certificates'
to see if the domain name on the certificate matches the domain
name in the URL that you are going to.
Check your Internet Option' and make sure that 'Use SSL 3.0'
is ticked in the 'Advanced' section.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Error: 'This page must be viewed over a secure channel' |
Microsoft IIS is configured to require a secure channel.
The following steps will allow non-secure (http) connections
to your site:
Within Microsoft Internet Information Server, right click
on your web site.
Under Secure Communications, click on Edit.
Un-check the box that says 'Require Secure Channel'
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
I get an intermittent server not found message when
trying to access my site. |
If the web server is set to check the
Certificate Revocation List and the server is down, this can
cause a time-out of the operation. This will not be the certificates,
but something related to the browser timing out on the operation.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
How do I back
up my private key in IIS 5? |
Start, run, type mmc
Go into the Console Tab, Add/Remove Snap in
Click on Add, Double Click on Certificates and Click on Add
> OK
Choose Computer Account
Choose Local Computer
Open up the Certificates Consol Tree
Look for a folder labelled REQUEST, then select Certificates
Highlight the key that you wish to back up
Right click on the file and choose, All Tasks, Export
Follow the Certificate Export Wizard
Choose to mark the Private key as exportable
Leave default settings
Choose to save file on a set location.
Click Finish
You will get message that the export was successful
Note: Once the Pending Request is completed the Key is no
longer available
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
How
do I move the certificate and key from IIS5 to Apache? |
Start the certificates mmc for the web server and select 'All
Tasks', 'Export' against the site certificate. Do not choose
to export the CA certificates. Specify a password. Specify
a filename (e.g. mypkcs12.pfx). Copy the resulting .pfx file
to your Apache web server.
Then import the private key and cert file
into Apache using the following commands:
openssl pkcs12 -in mypkcs12.pfx -out pfxoutput.txt
You'll need to enter the password at least
once.
Load pfxoutput.txt into a text editor
and save each certificate as a separate file.
Also save the private key as a separate file (e.g. myencrypted.key).
The private key will probably be encrypted
at the moment. i.e. looking something like.....
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,.........
.........
-----END RSA PRIVATE KEY-----
If the version of Apache we're using doesn't
allow encrypted private keys, to decrypt the private key
run the following command:
openssl rsa -in myencrypted.key
-out my.key
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
How do I force SSL for specific pages? |
|
| ------------------------------------------------------------------------------------------------------- |
How do I export the key in IIS 5? |
|
| ------------------------------------------------------------------------------------------------------- |
How
do I import the server certificate in IIS 5? |
|
| ------------------------------------------------------------------------------------------------------- |
How do I create a renewal CSR in IIS 5? |
Create
a new web site in IIS, then go to the 'Properties', 'Directory
Security', 'Server Certificate' tab
Use the certificate wizard to create your new Key/CSR file
Backup the private key file by following the instructions:
Start, run, type mmc, select OK
Go into the Console Tab, Add/Remove Snap in
Click on Add, Double Click on Certificates and Click on Add,
click OK
Choose Computer Account, then Local Computer
Open up the Certificates Consol Tree
Look for a folder called REQUEST, Certificates
Highlight the key that you wish to back up
Right click on the file and choose, All Tasks, Export
Follow the Certificate Export Wizard
Choose to mark the Private key as exportable
Leave default settings
Choose to save file on a set location.
It is important to take a copy of the private key and store
it off the server; in the event that the server crashes.
Click Finish
You will get message that the export was successful
Save the resultant CSR file to your hard
drive indicating it is a renewal CSR
Use this CSR during the purchase process.
Once you receive the renewed certificate, install it using
the wizard you used to create it on the same NEW website
you created.
Once installed, go to the correct website you want the certificate
to run on.
Go to 'Properties', 'Directory Security', 'Server Certificate',
remove the certificate currently installed, and assign the
certificate you installed in the previous step
Restart the WWW service.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Error: "The string contains an invalid X500
name, attribute key, OID, value
- or delimiter" |
To avoid this error, create a new certificate and verify that
there are no special characters in any of the fields in the
distinguished name. In particular, do not include a comma
in the company name.
The following characters are not allowed in any of the CSR
fields:
[! @ # $ % ^ * ( ) ~ ? > < & / \ , . " ']
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
Error: "The pending certificate request for
this response file was not found. - -
This request may be cancelled. You cannot install selected response
- - - - - - - certificate using
this Wizard" |
You are attempting to install a certificate that does not
match the private key (Pending request) that is currently
residing in the Certificate Wizard. Microsoft IIS 5 only allows
you to make one request per site. If you create a new CSR
for the same website, your original request (and private key)
will be overwritten.
If you have a backup of the private key, you can install the
certificate via the MMC if you can restore the request to
the REQUEST folder.
Unless you can find the matching private key for the certificate,
you will need to have the certificates reissued.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
My browser stopped responding to my SSL server,
other browsers can ----------connect
from a different location? |
|
| ------------------------------------------------------------------------------------------------------- |
How do I backup the certificate and key in IIS5? |
Start the certificates mmc for the web server and select 'All
Tasks', 'Export' against the site certificate. Choose to export
the CA certificates. Specify a password. Specify a filename
(e.g. mypkcs12.pfx). Save the .pfx file in a safe place off
the server.
Back
To Top
|
| ------------------------------------------------------------------------------------------------------- |
The system errors when you open World Wide Publishing
Service or ------------Administrative
Tools Services |
|
| ------------------------------------------------------------------------------------------------------- |
My certificate says it has a nonvalid digital signature,
what can cause this? |
1. The
intermediate Comodo certificate has not been installed, you
must use the one that came with the site certificate
2. The wrong
intermediate Comodo certificate has been installed, you
must the one that came with the site certificate
Back
To Top
|
