I created a WebService using WCF. I'm doing self hosting and I want to enable HTTPS. From my understanding for this to happen, I need to create a certificate and bind to the port that I want to use.
Here are the steps that I've done to handle this:
Created a Certificate on my local machine to act as the Root Certificate Authority
makecert -n "CN=My Root Certificate Authority" -r -sv RootCATest.pvk RootCATest.cer
Opened MMC.exe and imported the saved .cer file into the "Trusted Root Certificate\Certificates\ folder
makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=MyMachineName" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe MyMachineName.cer
Created a temporary service certificate from the signed Root Certificate Authority
makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=MyMachineName" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe MyMachineName.cer
Tried to Bind the Certificate to the Port number (443 in this case)
netsh http add sslcert ipport=0.0.0.0:443 certhash=2c5ba85bcbca412a74fece02878a44b285c63981 appid={646937c0-1042-4e81-a3b6-47d678d68ba9}
The result from step 4 is the following error:
SSL Certificate add failed, Error 1312
A specified logon session does not exist. It may already have been terminated.
Does anyone have a clue why I might be getting this error?
I had the same error. The first time it occurred, as Micheal said, I had to move the certificate under Certificates(Local Computer) -->Personal -->Certificate folder. I had the same error when I imported the same certificate on another machine. The reason was that I was using certmgr.msc to import the certificate. . The window opened thus shows “Certificates – Current User”. Certificates imported using this window cause netsh to fail with the 1312 error. Make sure to use certificate snap-in in MMC to import certificates. The certificate snap-in from MMC shows “Certificates (Local Computer)”. This lets the netsh execution sail through.
SSL Certificate add failed, Error 1312
A specified logon session does not exist. It may already have been terminated.
I used to have the exact same problem and spent a couple days trying to figure out what the reason was.
To make the long story short: the problem is that you have installed the certificate on the winrm server that does not have PRIVATE KEY.
I have checked this several times. You have to delete your certificate and rebuild it by using makecert for instance, as it is described perfectly here: http://blogs.technet.com/b/jhoward/archive/2005/02/02/365323.aspx
You can easily check if your certificate has private a key as so: mmc - certificates - local machine - personal. Look at the icon of the certificate - it MUST have key sign on the icon.
I have bought an official Thawte certificate to secure a self hosted (console application) web service over a specific port on our internet server.
I then have received the Thawte certificate and installed it with mmc on our Internet server (the certificate then was viewable under „Trusted Root Certification Authorities“ (with the key icon on the image, what shows that the certificate contains a private key what is mandatory to be able to bind it to a port b.t.w.) .
Next step was to enable the <port> for https:
netsh http add urlacl url=https://+:<port>/ user=everyone
(what was no problem)
Next step was to enable the port () for https:
netsh http add sslcert ipport=0.0.0.0:<port> certhash=<thumbprint to certificate> appid={<guid to application>}
This has failed with the error message:
SSL Certificate add failed, Error: 1312 A specified logon session does not exists. It may be already have been terminated.
I then have searched the Internet and tried various suggested workaround’s (without success).
The solution for my case was to add certstorename=Root to the netsh command:
netsh http add sslcert ipport=0.0.0.0:<port *1)> certstorename=Root certhash=<thumbprint to certificate *2)> appid={<guid to application *3)>}
Notes:
If no certstorename is applied to net netsh command, netsh takes the default, what is MY (what targets the certificate store: “Personal” where self signed certificates are stored normally).
Root targets the certificate store: „Trusted Root Certification Authorities“
*1): The port, you want to use the connection
*2): You can extract the thumbprint to the certificate, if you open the certificate (on a windows system, just doubleclick the certificate in explorer) - select tab “Details” and click on “Thumbprint”. The “thumbprint” then is showed and can be copied. Copy the Thumbprint and remove all spaces...
*3): As appid you can take any ID in the form {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} as the APPID is only informative.
With the command “netsh http show sslcert” you can query the bound certificates on the whole machine and the will see informative, which appid is bound to which certificate (not really helpful in practice b.t.w.)
In my case, I have took the (from VS generated) GUID to my web service application
I had been dealing with this issue and I'm using a self-hosted WCF service. I just made the breakthrough:
I had a certificate in the personnel folder for the Machine store. It expired and my manager issued a new one. The new one failed for me with this error. I tried a lot of stuff from Google but in the end, resolved the issue using a completely different solution.
I installed both certificates- the expired one and the newer one. Then I used this command to get a list of them:
certutil -store My
I get this output (info is fake and other certificate are not listed):
================ Certificate 1 ================
Serial Number: 6d
Issuer: E=operations#voicetrust.com, CN=VoiceTrust Server CA, OU=VoiceTrust Oper
ations, O=VoiceTrust
NotBefore: 03-Jan-2013 3:33 PM
NotAfter: 03-Mar-2013 3:33 PM
Subject: E=hgulzar#voicetrust.com, CN=hornet.voicetrust.com, OU=Software Develop
ment, O=VoiceTrust eServices MENA FZ LLC, L=Dubai, C=AE
Non-root Certificate
Cert Hash(sha1): 98 5f a0 d3 11 6a 4b 64 3b db 0a a4 11 66 fc 08 28 74 7e 53
Key Container = {E5BC0912-7808-4B89-B457-31946DE5990E}
Unique container name: dfedfcc149408fb990a3bacd6d31126b_3277b2c9-9894-46d0-9b6
4-30f0d6589239
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Private key is NOT exportable
Encryption test passed
================ Certificate 2 ================
Serial Number: 6d
Issuer: E=operations#voicetrust.com, CN=VoiceTrust Server CA, OU=VoiceTrust Oper
ations, O=VoiceTrust
NotBefore: 03-Nov-2013 3:33 PM
NotAfter: 03-Dec-2013 3:33 PM
Subject: E=hgulzar#voicetrust.com, CN=hornet.voicetrust.com, OU=Software Develop
ment, O=VoiceTrust eServices MENA FZ LLC, L=Dubai, C=AE
Non-root Certificate
Cert Hash(sha1): 30 5f a0 d3 11 6a 4b 64 3b db 0a a4 11 66 fc 08 28 74 7e 53
Key Container = {E5BC0912-7808-4B89-B457-31946DE5960E}
*Unique container name:* 55edfcc149408fb990a3bacd6d31126b_3277b2c9-9894-46d0-9b6
4-30f0d6589239
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Private key is NOT exportable
Encryption test passed
Now, everything seems OK but certificate 1 is expired and works if I try to bind it to a port whereas Certificate 2 fails with Error 1312.
The key difference that baffled me was the Unique container name property. It should be representing a physical key file on the hard drive in the %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\
For Certificate 1, the file was there but for Certificate 2, there was no such file. After searching I found the file against Certificate 2 in the sub folder of %AppData%\Microsoft\Crypto\ folder. That's user specific keys not Machine level keys. It's amazing that the certificate is being imported into Computer store yet it always keeps the container key of User's store.
I deleted the '55edfcc149408fb990a3bacd6d31126b_3277b2c9-9894-46d0-9b64-30f0d6589239' file under the AppData folder and ran the repair command for my certificate 2 on the store:
certutil -repairstore My 2
This time, the Unique container name was reflecting a file in the proper folder under '%ProgramData%\Microsoft\Crypto\' and everything started working.
Hope this is helpful to someone.
I've been fighting error 1312 all day, what fixed it for me was to import the certificate in mmc as a .p12 file instead of a .crt. If you are creating it with OpenSSL then once you have created the .crt, do:
pkcs12 -export -in server.crt -inkey server.key -name “Your Name” -out server.p12
As described. When you go to import it in mmc it will be a called "Personal Information Exchange" file (and apparently a .pfx file would also work).
I'm new to writing servers and dealing with SSL and I have no idea why this works, but I hope it helps.
The problem was in step 4. I was using the Thumbprint from the Root Certificate for the value in certhash. To solve this I had to go back to the MMC and refresh the Certificates(Local Computer) -->Personal -->Certificate folder. Then use the Thumbprint from the certificate that is "Issued By" the Root Certificate Authority.
I my case the problem was that the CER file hasn't private key attached.
I've attached PK using those OpenSSL commands:
openssl x509 -in server.der -inform DER -out server.pem -outform PEM
openssl pkcs12 -export -in server.pem -inkey serverkey.pem -out server.p12
Works for CER/DER files.
I had the same problem and solved importing the certificate using this command:
c:> certutil -importPFX certname.pfx
Now the certificate appear using this command:
c:> certutil -store my
before this command the certificate doesn't appear
This might seem obvious; however, I think it can save someone some time of head scratching. I had imported a file with .cer extension under my Personal certificates folder (for the Personal Computer account). After a while, I realized that I needed to import the file with the *.pfx extension instead. Fixed that and voilà! Problem solved!
There are multiple ways of receiving this error (see above for other answers).
Another way to receive this specific error is to attempt to bind a certificate to a port when the certificate is not in the appropriate store.
Verify that the certificate is stored in the localMachine Root store (you can use certutil or certmgr.exe from command line to dump it correctly).
updated grammar :)
If anyone else runs into this problem and the answers in here do not clearly answer it, the underlying core problem is the private key needs to be imported. If you do not mark the certificate as exportable when you import it, the private key is not imported and you cannot bind it. If you delete it and re-import it and mark it as exportable, then it will work.
It also needs to be the local machine store as others have pointed out.
If:
you didn't have IIS on your machine (working with self-hosted WCF let's say), and
you made your cert request on another machine using IIS Manager (because you didn't understand that the private key comes from ciphers embedded in the cert request - and later the issued .pb7)
then:
just go install the .pb7 on the IIS machine you used to make the cert request (local machine/personal/certificates - using mmc);
export the cert from that machine, including its private key (assign password); and
install it using mmc on the WCF server (local machine/personal/certificates - using mmc).
Then, netsh will let you bind to port 443. No more 1312 errors.
Just to throw yet another answer into the ring, this is the problem I had:
Although I imported my certificate into the (Local Computer)\... certificate store, I had imported it into the Trusted Root Certification Authorities section. I needed to import it into the Personal section, otherwise this error occurred.
In my case, i have missing the certificate private key.
IF you imported the certificate using .NET, specific import flags must be used:
/// <summary>
/// Imports X.509 certificate from file to certificate store.
/// </summary>
/// <param name="fileName">Certificate file.</param>
/// <param name="password">Password.</param>
/// <param name="storeName">Store name.</param>
/// <param name="storeLocation">Store location.</param>
public static void ImportCertificate(string fileName, string password, StoreName storeName, StoreLocation storeLocation) {
var keyStorageFlags =
X509KeyStorageFlags.PersistKeySet
| (storeLocation == StoreLocation.LocalMachine ? X509KeyStorageFlags.MachineKeySet : X509KeyStorageFlags.UserKeySet);
var cert = new X509Certificate2(fileName, password, keyStorageFlags);
var store = new X509Store(storeName, storeLocation);
store.Open(OpenFlags.MaxAllowed);
store.Add(cert);
store.Close();
}
The ImportCertificate method is a part of the Woof.Security package created by me.
https://github.com/HTD/Woof.Security
https://www.nuget.org/packages/Woof.Security/
This is my summary of all the fixes in this thread and how it worked for me:
Find "Windows PowerShell", right-click on the icon, and choose "run as administrator".
Find "Wordpad", right-click on the icon, and choose "run as administrator". (this is so you can copy and paste between PowerShell and Wordpad.)
In PowerShell run "netsh HTTP show sslcert".
From the info that shows, copy the "Certificate Hash", "Application Id", and "Certificate Store Name". (You'll need all these in a moment.)
(If you need to) locate your *.cer or *.crt file and export it as a *.pfx file.
In Powershell, navigate to the folder of your *.pfx file.
Now run "certutil -importPFX .pfx".
Then run "certutil -store my" to show the installed certs.
Now using the info from step #4 run this "netsh http add sslcert ipport=0.0.0.0:8000 certstorename= certhash= appid='' (I had to put them in this order, with my cert store name, and single quotes around the app id.)
Check that the SSL cert was added by running "netsh HTTP show sslcert" again.
I had exact same problem eventhough my .pfx file had private key. Adding of certificate with MMC console was successful, but adding programatically using .Net X509Store.Add(X509Certificate2) method failed every time with error 1312. Certificate even had a key sign on the icon.
After several days finaly decided to make new certificate using makecert.exe as suggested in posts here. After that everything was fine. Key appeared in %ProgramData%\Microsoft\Crypto\RSA\MachineKeys. For some reason my earlier pfx file was not compatible.
In my experience, as long as your key in not appearing in %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\, binding with 'netsh http add sslcert ....' will fail.
The certstorename argument should be the string value of the StoreName enumeration from the .net framework namespace System.Security.Cryptography.X509Certificates.
I've being working on this for hours, and basically read through what #DoomerDGR8 said above, but my fix was a lot more simple. I ran
C:\Windows\system32> certutil -store TRUSTEDPUBLISHER
This listed several certificates I have installed, I then ran repair store on the certificate that I was having a problem installing with netsh.
C:\Windows\system32> certutil -repairstore TRUSTEDPUBLISHER 6
The number 6 at the end represents the index of your certificate, found at in the store, hope this helps
In my case while creating the certificate I chose a different name than My for my Cert Store name. The default name is MY. So if yours is different append certstorename=Your provided store name to the command.
I had the same error when creating self signed certificate with OpenSSL(BouncyCastle) I resolved it with help from this post:
Cannot export generated certificate with private key to byte array in .net 4.0/4.5
I had to add:
RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(seq); //new RsaPrivateKeyStructure(seq);
RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);
var rsaPriv = DotNetUtilities.ToRSA(rsaparams);
var cspParams = new CspParameters
{
KeyContainerName = Guid.NewGuid().ToString(),
KeyNumber = (int)KeyNumber.Exchange,
Flags = CspProviderFlags.UseMachineKeyStore
};
var rsaPrivate = new RSACryptoServiceProvider(cspParams);**
// Import private key from BouncyCastle's rsa
rsaPrivate.ImportParameters(rsaPriv.ExportParameters(true));
// Set private key on our X509Certificate2
x509.PrivateKey = rsaPrivate;
So to add (yet) fix/situation.
I had C# code that used BouncyCastle to create self-signed certificates.
<packages>
<package id="BouncyCastle" version="1.8.1" targetFramework="net45" />
So my code created the certificates AND placed them in the correct locations in the Cert-Store.
Using the hints here, my install of On Premise Service Bus 1.1 was failing...and that led me here.
I ended up DELETING both certificates my BouncyCastle code had created (from the cert store) and reimporting them (with private keys)....and it all worked.
I imported FIRST to the
Certificates (Local Computer) / Personal / Certificates
then I copied pasted (in the mmc) to any other places (stores) I needed them.
My "before" and "after" looked exactly the same from my eyes in MMC, BUT it fixed the issue. Go figure.
I just had yet another error. I renewed an expired cert for our WorkFolders service from our CA using the same private key. Then I always got Error 1312. Even if Certificate Management shows I have a private key.
I could only solve the problem by re-issuing a new certificate (without the renew option). Then it worked on the first try.
Maybe this will help someone who also tried the renew option.
For me the problem was solved by ensuring that the certificate hash I was using in my command line, corresponded to the certificate installed on my server:
netsh http add sslcert ipport=0.0.0.0:8081 certhash=1061a577f0cc1c428186000dc84f02a7111ca1b2 appid={GUID}
On my side, the files provided were a P7B file together with a bunch of cert files. After getting stuck, I asked for my colleague's help and he gave me an idea to import the certificates together with the private key via a PFX.
This article gave me the instruction to convert the P7B file into PFX. To summarize, you simply have to do the following:
Use openssl to convert the P7B file into PEM first
Convert the PEM file into PFX
You can now import the PFX file. Better to read the article I stated above because it has significant information to note.
Finally I solved it. The problem is the certificate file. I tested it other mac and failed it. Here is my solution.
Remove .cer file
Re-create certificate file.
If failed, also re-create CSR file.
Thank you.
Looks like this is a generic error. My fix is unlike all the rest.
Using Azure Devops for a deployment, the step IIS Web App Manage has the cert hash buried/hidden in IIS Bindings (which the only way to see the cert hash is to edit that specific piece), so you have to update the hash so it matches on the server you're deploying to. And voila, you're set.
I was getting this error when trying to deploy from an Azure Devops pipeline to a Windows Server box running IIS. The pipeline should deploy the site to IIS and then create an https binding where the existing certificate in the computer cert store was referenced by it's thumbprint. In the pipeline the thumbprint was meant to be drawn from variable group - however the correct variable group wasn't linked to the pipeline (and the variable name was wrong) - so it got nothing.
Basically the wrong thumbprint was being used to identify the cert, I suspect it wasn't giving a standard "can't find the SSL cert" message because I was attempting to find the cert with a null.
Related
This may seem like a duplicate of this and it kind of is but none of the solutions I tried worked for me! Here is the related Question:
Installed SSL certificate in certificate store, but it's not in IIS certificate list
My system is Windows 2016 running IIS 10. We issued a CSR file using IIS using *.mydomain.com (nothing in the Common Name, I think, because that will get named upon receiving GoDaddy's response). Our client went to GoDaddy.com, purchased a Wild Card certificate, and sent me a zip file with a .p7b and a .crt file. I installed the .p7b in the Intermediate Certificate section, per GD instructions. So now in the Certificate is in the Personal folder with info like 'issued to *.mydomain.com' and friendly name being 'gis.mydomain.com'.
But the Certificate does not have Private Key--and I think that's the problem: The Certificate disappears in IIS manager. When I try the certutil -repairstore command I get a prompt for a Card insertion.
Here is a fix I am thinking about: From the Certificate Enrollement Requests part of the console, export to a pfx file, then, using OpenSSL, make a PEM file. Then create a new pfx file to Import to IIS; problem is that the new pfx file creation gives me error "No Certificate Matches Private Key". Here is the command:
pkcs12 -export -in 1d4c26d43a4da203.crt -inkey my.pem -out final.pfx
Please note that Rekeying at GoDaddy may not help: Their .CRT file seems to be generated without the Private Key. Also, DigiCert is unable to find Private Key on the server even though the CSR file was created on the same server.
What are my options?
Thanks!
I fixed this issue by following the steps here:
https://www.namecheap.com/support/knowledgebase/article.aspx/9773/2238/ssl-disappears-from-the-certificate-list-on-windows-server/
Specifically, these steps:
Open Microsoft Management Console (MMC) as an Administrator. To open MMC, press Win+R combination, type in mmc and click OK.
Select Add/Remove Snap-in and choose Certificates and click Add.
Choose Computer account in the Certificates snap-in window, click Next.
Tick Local computer in the Select computer box, then click Finish.
Locate the certificate that was imported when completing the certificate request. The certificate should be in the Personal store. Note that the icon of the certificate next to the domain name does not have a key on it; that means that no private key is assigned to the certificate.
Double-click the certificate and go to Details tab.
In certificate details locate the Serial Number field, click on it and copy its value.
In a command prompt type: certutil -repairstore my Serial_number from the step above. Make sure the serial number of your certificate does not contain any spaces. It should be a single string of symbols.
You can now refresh the list of server certificates in IIS Manager to see the certificate. You may need to close and reopen IIS.
UPDATE
The certificate store name for Web Hosting is webHosting. Use this in place of "my" which is the Personal cert store.
If you have multiple certificates, you only need to run certutil -repairstore for the first one. Others install correctly via the Complete Certificate Request in IIS (ie, they do not disappear).
Nothing worked until I followed GoDaddy's instructions per https://www.godaddy.com/help/rekey-my-certificate-4976 and installed the Re-Keyed Certificate. I don't know what had happened to have caused the failure. I had followed the exact steps earlier but what the client provided did not work first time. My guess is that the CSR file was generated when the server machine was in some pending major Windows Update and after the Update the Private Key stored in the OS was somehow lost/inaccessible.
Oh well, moving on.
There is one more use case under which IIS server certificates gets disappear when we create the Custom CSR from MMC -> Advanced Operations -> Create Custom Request and choose the Enhanced Key Usage purpose as "Client Authentication" instead "Server Authentication" and since we are uploading the certificate to IIS under Server Certificates so it should be for "Server Authentication" to show up or not disappear on IIS -> Server Certificates
Fix -
Delete the certificate from MMC and make sure it is removed after
refreshing
Generate the CSR using MMC Custom Request option and Choose "Server
Authentication" in case of the purpose for key usage while
generating the CSR using the Custom Request Option from MMC
Generate the Cert and signed by CA for the CSR generated in Step-2
Complete the Certificate Request from IIS and certificate should be
available perfectly fine in MMC as well in IIS -> Server Certificate
This should work fine !
At last Fixed!!
Step 1 - Go to your servers IIS
Step 2 - Select your server and choose SSL Certificate from middle panel
Step 3 - From the action panel on the right choose "Create Certificate Request"
Step 4 - Fill in the necessary details (common name = domain name, rest not so important)
Step 5 - after completing the wizard you will be provided with a .CSR file open the file in notepad and CTRL-A CTRL-C.
Step 6 - Go to the product page of your godaddy account from there go to SSL and click manage.
Step 7(optional) - To check if everything's fine with your CSR file, In manage SSL page click "SSL Tools" and from there choose CSR Decoder, you'll be taken to a page where you can paste the CSR and if results are shown you are good move to step 8.
Step 8 - Go back to Step 6, choose your SSL linked to the DOMAIN.
Step 9 - From the SSL Dashboard once you scroll down a bit you'll see the REKEY option, click on it.
Step 10 - Paste the CSR texts in the space provided
Step 11 - Click "Add Change"
Step 12 - Scroll down, click "Submit All Changes"
Step 13 - After the SSL is reissued(5-10 MINS), download the zip files for IIS server.
Step 14 - That's it , you should be able to add the new .CES file into the IIS without it disappearing.
Let me know if this worked for everyone.
You need to convert the certificate to .pfx file and include your private key.
https://www.ssls.com/knowledgebase/how-to-install-an-ssl-on-a-windows-server-when-the-csr-was-generated-elsewhere/
I want to use WinRM with https transport. I've bought a Comodo certificate (the error states I cannot use a self-signed certificate) with the Subject matching my FQDN (Full computer name in System) of my Windows 10 computer (not domain joined):
CN = my.domain.net
OU = PositiveSSL
OU = Domain Control Validated
When trying to create a https listener with the following command:
WinRm quickconfig -transport:https
I get the error message:
Error number: -2144108267 0x80338115
Cannot create a WinRM listener on HTTPS because this machine does not have an appropriate certificate. To be used for SSL, a certificate must have a CN matching the hostname, be appropriate for Server Authentication, and not be expired, revoked, or self-signed.
I've installed (doubleclick the *.crt file) the certificate in several stores (local machine / personal and Trusted Root Certification Authorities) but WinRM fails to create the https listener. The http listener is working OK.
Some extra info: When using certreq to try to install the *.cer certificate, I get the error:
Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND)
How do I get WinRM working with https?
Here is how I solved this issue:
create a SSL CSR using DigiCert Certificate Utility for Windows from digicert.com
use the generate CSR to request a certificate. I used versio.nl but I'll guess there are a lot of CA's out there
Install the certificate by double clicking it
go to the certificate manager for user
rightclick the certificate (it should me in the personal store) and export it
- follow the wizard and be sure to export the private key
install the newly exported certificate (mark the key as exportable and include all extended properties) in the local computer certificate store
Open an console (cmd) with administrator privilidges and type:
winrm create winrm/config/Listener?Address=*+Transport=HTTPS
#{Hostname="server.fqdn";CertificateThumbprint="YOURCERTIFICATETHUMPPRINT"}
This worked for me. Some things to check if it is not working:
is the certificate still valid (check the date range)
check if the certificate property 'Subject" has a CN value with the FQDN of your computer
check if the listener is installed (winrm e winrm/config/listener)
I took me a lot of hours to figure this out. I hope it will help some of you out there.
I also experienced this issue - the answer from RHAD was partially helpful, but I needed to use an entirely internally generated CA.
The problem was caused by the Key algorithm I had chosen. Using the same configuration, only changing the key it works:
Failed key: elliptic curve cryptography with the brainpoolP512t1 curve (in the certificate this showed as: Public Key Algorithm: id-ecPublicKey / ASN1 OID: brainpoolP512t1 )
Successful key: an RSA key: (in the certificate: RSA Public-Key: (4096 bit))
Hopefully this helps others with similar issues.
I have an issue after I installed the SSL Certificate in WorldClient, MDaemon 12.
I followed the link in installing the SSL, SSL installation was fine. Then, I followed the link to use the SSL in WorldClient. I use 888 for TCP port and 443 for https port.
When I call the webmail (http://mail.mydomain.com.sg:888) in browser, it opens properly. But, if https://mail.mydomain.com.sg:888, Secure Connection Failed error message is shown.
Any Ideas, please? Thanks.
I have solved this problem.
If you read all instruction from the link you given in your post carefully until finished, you'll get the answer.
Note: MDaemon will only display certificates that have private keys
using the Personal Information Exchange format (PKCS #12). If your
imported certificate does not appear in the list then you may need to
import a *.PEM file, which contains both a certificate key and private
key. Importing this file using the same process outlined above will
convert it to the PKCS #12 format.
You should make a PKCS#12 file from generating the (certificate) .csr and private key (.key) you have. If you on windows, install the openssl first on your PC. After successful generate the PKCS#12 file, follow the instruction again to install the SSL certification on MDaemon.
If you success, you'll see the certificate appear in the MDaemon.
Remember to restart your server or webserver to apply the changes.
Regards
I am trying to upload the SSL certificates for my OpenShift gear's alias. I used the instructions here: http://cloudhostingsource.com/setup-ssl-certificate-openshift/
I am stuck however at the uploading part - I have already genereated the CSR, activated the certificate. Every time I try to upload the files it takes me back to the same page without so much as a notification.
Comodo SSL sent me 4 files:
AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
myApp.crt
How do I upload these? There are three fields to upload for Openshift... Which do I load into SSL Certificate? Certificate chain? I have my private key and I know the keypass.
Thanks
Just wanted to post an update for this for users who run into this issue in the future... I'm not sure if it was because I had added a public SSH key via the RHC setup but nothing I did (no permutations of copy paste chaining, switching files around) would work via the file uploader.
In the end, before deciding to call Red Hat and QQ, I used the command line console to add the SSL files...
Here is the command I used:
rhc alias update-cert php www.myapp.com --certificate myApp.crt --private-key myApp.key --passphrase mypass
This link includes more info: https://access.redhat.com/documentation/en-US/OpenShift_Online/2.0/html/User_Guide/Using_Custom_SSL_Certificates1.html
TLDR: You don't need to combine any of the Comodo files, just use your file #4, your privatekey, and your passphrase (if you have one)
Thats right!
First combine public with bundle:
cat dom_com.crt dom_com.ca-bundle >> dom_com.ALL.bundle
and upload both:
rhc alias update-cert app dom_com \
--certificate dom_com.ALL.bundle \
--private-key dom_com.key
And then you will obtain an A at https://www.ssllabs.com/ssltest/
You need to combine 1,2, and 3 into one chain certificate (in the correct order) and upload them in the chain certificate field, the key goes in the key field, and the myApp.crt goes in the certificate field.
I had a similar problem, and after some back and forth emails with the Certificate issuer, what helped me was to combine my site certificate with the Certificate chain into one file, and uploading it into the "SSL Certificate" field in OpenShift. I left the "SSL Certificate Chain" field blank, but of course I uploaded my public key in the "Certificate Private Key" field.
I have a WCF service that I want to access using SSL. I'm on my developer machine, so I was thinking of self-hosting the service. I've been following Configuring HTTP and HTTPS.
I've created a self-signed certificate which I added to the Trusted Root Certification Authorities. I've created another two certificates signed by the first one, one for the client and the other for the server. I followed Using makecert to create certificates for development.
I can't get past the SSL certificates configuration step. When I'm binding the certificate to the port number using netsh it throws an SSL error:
Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.
Does the certificate need some special field or some other thing for this to work?
CA certificate:
makecert -n "CN=TestCA" -cy authority -a sha1 -sv "TestCA.pvk" -r "TEST_CA.cer"
Service certificate:
makecert -n "CN=rneapp.com" -ic "TEST_CA.cer" -iv "TestCA.pvk" -a sha1 -sky exchange -pe -sv "rneapp.com.pvk" "rneapp.com.cer"
Client certificate:
makecert -n "CN=rneClient" -ic "TEST_CA.cer" -iv "TestCA.pvk" -a sha1 -sky exchange -pe -sv "rneClient.pvk" "rneClient.cer"
I'm using this command to bind the certificate to the port:
netsh http add sslcert ipport=0.0.0.0:8465 certhash=a853f3b5b48b8a506bdc4212ba2726a3bfea2bb6 appid={2E53B9B0-17AE-4EBC-A1AE-43D53A6FD07D} clientcertnegotiation=enable
When I encountered the same issue, moving the certificate from Current User to Local Computer storage helped, so try checking your certificate storage.
Built-in help for netsh http add sslcert also mentions this with regard to certstorename option:
certstorename - Store name for the certificate. Defaults
to MY. Certificate must be stored in the
local machine context.
I also run into similar error code through different process of creating the self-signed certificate and find the source of my own problem. Using netsh, bind an SSL certificate to a port number is failing
Here is the article I follow to create the self-signed certificate and it is quite complete and thorough.
I have exactly the same issue on Windows 7 and Windows Server 2008 R2 but for me it is working the first time I bind the certificate with the port. However if I delete the binding (netsh.exe http delete sslcert ipport=0.0.0.0:9101) and bind again with the same certificate, it fails. If I try another port, it fails. If I create a brand new certificate then I can bind again. But again deleting/binding will fail.
I follow the same rules as this question:
Can't register a C# generated selfsigned SSL certificate with netsh (error 1312)
I also tried to install KB981506 http://support.microsoft.com/kb/981506 but it failed to install "The update is not applicable to your computer". Maybe I have it already.
I have a feeling something is not deleted in a right way when the binding is deleted. ProcessMonitor doesn't show any thing weird when I try to bind again.
This seems to be a known issue. Check out this Microsoft KB article.
You may also be setting up the certificates incorrectly. Check out this MSDN forum post for how another person was making a similar mistake and getting the 1312 error which was just distracting him from the real problem which was his certificate configuration.
I had a similar problem today, and this is how I fixed it. When I have watched certificates installed on my local computer/my in mmc.exe, I have seen that my certificate haven't icon with key.
So when I combine *.cer and *.pvk file to *.pfx with:
pvk2pfx -pvk "private_key.pvk" -spc "public.cert" -pfx "test.pfx"
And then import *.pfx file with mmc.exe.
Then the next commands will execute with no errors:
netsh http add sslcert...
netsh http delete sslcert...
I have posted this answer to similar Stack Overflow question, Can't register a C# generated selfsigned SSL certificate with netsh (error 1312).