November 2010 (1)
August 2010 (1)
July 2010 (1)
June 2010 (3)
July 2009 (3)
June 2009 (1)
May 2009 (1)
February 2009 (1)
January 2009 (1)
November 2008 (3)
October 2008 (4)
September 2008 (9)
August 2008 (6)
July 2008 (3)
June 2008 (3)
January 2008 (1)
November 2007 (2)
October 2007 (6)
September 2007 (5)
August 2007 (22)
July 2007 (6)
June 2007 (1)
May 2007 (3)
April 2007 (27)
March 2007 (8)
February 2007 (6)
September 2006 (2)
August 2006 (4)
July 2006 (9)
June 2006 (17)
May 2006 (20)
April 2006 (12)
March 2006 (9)
February 2006 (4)
January 2006 (3)
December 2005 (2)
November 2005 (4)
October 2005 (5)
September 2005 (37)
August 2005 (83)
July 2005 (6)

Active Directory / LDAP (0)
ASP.Net (19)
Blackberry Development (4)
c# (34)
c++ (3)
Code Camp (1)
Excel (1)
Exchange (3)
Front Page 2003 (6)
FTP User Editor (4)
HTML / CSS / DHTML (8)
IIS (146)
IIS - Log Parser (7)
IIS / FTP (12)
IIS / Tools / Administration (42)
IIS / Tools / Authentication (6)
IIS / Tools / Compression (8)
IIS / Tools / Crash & Hang (12)
IIS / Tools / ISAPI Filters (17)
IIS / Tools / Log Files (17)
IIS / Tools / Scripts (28)
IIS / Tools / Security (9)
IIS / Tools / SSL (6)
IIS 7 (3)
Internet Information Server (1)
Me (Chris Crowe) (6)
MIME Types (1)
Misc (72)
Oulook Express (2)
Silverlight (1)
SQL Server (27)
SQL Server CTE (1)
Vista (15)
Vista Gadgets (8)
Visual Studio (11)
Voice over BroadBand (1)
Windows (33)
Windows Powershell (3)
Windows Sharepoint Services (0)
Windows Sharepoint Services (15)
Windows Vista (14)
Wine Cellar (1)
WMI (8)
IIS / Tools / SSL (6) blog.crowe.co.nz.Models.Category

IIS / Tools / SSL

Taking a SSL Certificate, a KEY file and a CA Certificate and create a .P12

Required Tools

The Files

I asked the hosting company for the SSL certificate for the site. I received a series of files from them, but they were not in a format I could use to install onto my IIS Server for testing.

They sent me the following files:

  • www.domain.com.cabundle - The CA Public Key Certificate
  • www.domain.com.crt - The public key for the site
  • www.domain.com.key - The private key for the site

The files contained the following (note: Some bytes have been modified to protect me)

www.domain.com.cabundle - The CA Public Key Certificate

-----BEGIN CERTIFICATE-----
MIIEhjCCA26gAwIBAgIQUkIGSk83/kNpSHqWZ/9dJzANBgkqhkiG9w0BAQUFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTA1MDYwNzA4MDkxMFoXDTIwMDUzMDEwNDgzOFow
gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl
IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY
aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0
LUhhcmR3YXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsffDOD+0
qH/POYJRZ9Btn9L/WPPnnyvsDYlUmbk4mRb34CF5SMK7YXQSlh08anLVPBBnOjnt
KxPNZuuVCTOkbJex6MbswXV5nEZejasvQav25KlUXEFSzGfCa9vGxXbanbfvgcRdr
ooj7AN/+GjF3DJoBerEy4ysBBzhuw6VeI7sxFm3tQwckwj9vlK3rTW/szQB6g1ZgX
vIuHw4nTXaCOsqqq9o5piAbF+okh8widasS4JM5spDUYPjMxJNLBpUb35Bs1orWZM
vD6sYb0KiA7I3z3ufARMnQpea5HW7sftKIs2rTYeJc9BupNAeFosU4XZEA39jrOTN
SZzFkvSrMqFIWwIDAQABo4H0MIHxMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8D
veAky1QaMB0GA1UdDgQWBBShcl8mGyiYQ5VdBzfVhZadS9LDRTAOBgNVHQ8BAf8E
BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAIMAYGBFUdIAAwewYDVR0f
BHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQWRkVHJ1c3RFeHRl
cm5hbENBUm9vdC5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BZGRU
cnVzdEV4dGVybmFsQ0FSb290LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAYGQ5WaJD
ZS79+R/WrjO76FMTxIjuIxpszthkWVNTkOg239T88055L9XmjwzvKkFtcb2beDgj
03BLhgz9EqciYhLYzOBR7y3lzQxFoura7X7s9zKa5wU1Xm7CLGhonf+M8cpVh8Qv
sUAG3IQiXG2zzdGbGgozKGYWDL0zwvYH8eOheZTg+NDQ099Shj+p4ckdPoaEsdtf
7uRJQ8E5fc8vlqd1XX5nZ4TlWSBAvzcivwdDtDDhQ4rNA11tuSnZhKf1YmOEhtY3
vm9nu/9iVzmdDE2yKmE9HZzvmncgoC/uGnKdsJ2/eBMnBwpgEZP1Dy7J72skg/6b
kLRLaIHQwvrgPw==
-----END CERTIFICATE-----

 

www.domain.com.crt - The public key for the site

-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIQMroXZrEewmyAlSrult36TjANBgkqhkiG9w0BAQUFADCB
lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
SGFyZHdhcmUwHhcNMDgwMTI4MDAwMDAwWhcNMDkwMjA1MjM1OTU5WjCB5jELMAkG
A1UEBhMCTloxDTALBgNVBBETBDgwMTMxFTATBgNVBAgTDENocmlzdGNodXJjaDEV
MBMGA1UEBxMMQ2hyaXN0Y2h1cmNoMRgwFgYDVQQJEw84MCBBeWxlc2ZvcmQgU3Qx
HzAdBgNVBAoTFlBhbWVsYSBNYXJnYXJldCBFbHN0b24xITAfBgNVBAsTGEhvc3Rl
ZCBieSBpU0VSVkUgTGltaXRlZDEeMBwGA1UECxMVQ29tb2RvIEluc3RhbnRTU0wg
UHJvMRwwGgYDVQQDExN3d3cud2VldGhpbmdzL3mNvLm56MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDgwQGlV8PDbBw+E+8j3LJ//qrBM2o9RRcjDfCnNmR3hX1NE
8Gf3bARSyZxjqFZHk1c/Bj7e6+nMFpKueVfp8FVQM344I1tc4YQgWnLRehz0smEdH
b/UmT6jQMjrf7oFjoCNLB4fa5cmtoYkhJq8+KW44Vc1l3w+YAKQtv+SjgFnxaEQID
AQABo4IB4jCCAd4wHwYDVR0jBBgwFoAUoXJfJhso3mEOVXQc31YWWnUvSw0UwHQYD
VR0OBBYEFMsohbqN5PZHAel1m5NWLFxXs3OoMA4GA1UdDwEB/wQEAwIFoDAMBgNV
HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgB
hvhCAQEEBAMCBsAwRgYDVR0gBD8wPTA7BgwrBgEEAbIxAQIBAwQwKzApBggrBgEF
BQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLm5ldC9DUFMwewYDVR0fBHQwcjA4
oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vVVROLVVTRVJGaXJzdC1IYXJk
d2FyZS5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9VVE4tVVNFUkZp
cnN0LUhhcmR3YXJlLmNybDCBhgYIKwYBBQUHAQEEejB4MDsGCCsGAQUFBzAChi9o
dHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9VVE5BZGRUcnVzdFNlcnZlckNBLmNydDA5
BggrBgEFBQcwAoYtaHR0cDovL2NydC5jb21vZG8ubmV0L1VUTkFkZFRydXN0U2Vy
dmVyQ0EuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQCSmgZKvHak4fNN/jV2p3/7YsRw
2cQYRaqovH1qjNrRHixMFzidQtdJg1QUjFF1CX/J8FYY4cx3+J485DuHfz1Mnxat
cDPEfe9Z7Xc0NP0bjECMZ8Brsze2BItZ/S7zeBBI8OlSacxd5J+ggvO2e6K0VUPN
wW8mYrNUm4QzMDhP6PYc+HgEo11g2wu3UmpbMhbXL1PLk4X1XAQDVX4ChWTursrJ
/J3oB15aGm5NUAwm736bj1jaJhN5aatlvuJoosPKSLEQVJyDOqFCdCTGFnfCXn2s
Rb0eVDLczneKpcvSYqwzoHxil/GnlVWYVDevBpvtAQQ2VyowQknxbsfkJGMB
-----END CERTIFICATE-----
 

www.domain.com.key - The private key for the site

-----BEGIN RSA PRIVATE KEY-----
MIICXwIBAAKBgQDgwQGlV8PDbBw+E+8jLJ//qrBM2o9RRcjDfCnNmR3hX1NE8Gf3
bARSyZxjqFZHk1c/Bj7e6+nMFpKueVfp8FVQM44I1tc4YQgWnLRehz0smEdHb/Um
T6jQMjrf7oFjoCNLB4fa5cmtoYkhJq8+KW44Vc1lw+YAKQtv+SjgFnxaEQIDAQAB
AoGBAIFIRGwZmfAVhgFncg1no/lq89KhfgMgAyX/jARJ6Vg0fy+Ooh8+sRX2BtGE
iWzOokcMjqmoRmoxKdrWze0xY8CUhmO0t6/hJA3Q7mKXBB6fZg0MEoFO/Na/MgGku
sEYE7Sq9R3BNKLwSyhkBlggfx/yfYI0IRswdpajN362tWhzKBAkEA9EqvtYika956
X0WICEWtaH9ge/xAW8on8BapyjwtOrNBIVe8Ezo/Rf+ITUJB33XF7SwGvT1+758
DnzRICESGQJBAOuGmlB65Ad/mY2uSDQYZizJDZD68lCmUFfe4SPytoDnvFvRM4fJ
UdEkY3DxE2ycKFAOmiNQKatyv1Tx8PWNNrkCQQCaoDN7ihPYmyeF6jLiWYgbXpSp
pc7uypRg6VdrRI+0WgXdnvTSjsoDO+6FAlbGwSZGQP4+8dJJGBbZ7LNJzOTxAkEA
qf1TgUTBMhxJcrXYTSlTDX3q+bn1jHoNQO6PZoe2a2FWVJqwa4/FKoLt9sU4tMoc
WnO/kj84ZBMEv0WEGWZbmQJBAN4CSiPaBFQDs/MSDSHat/xWVh3RxbhspmzCEd4h
yYGasp7oWPfaPewcFHN13wjoRTc1FsxJ4GmIyMxpVuaDB54=
-----END RSA PRIVATE KEY-----

 

The process to create a .P12 file from the 3 files I was given

After downloading the Open SSL Binaries I installed them to the default location which was c:\openSSL

In the BIN folder there are numerous files but in this case I only want to run the openssl.exe tool

There are a lot of commands available to the openSSL.exe command - the primary ones are listed here.

We are interested in using the pkcs12 command - for a FAQ on the ppkcs12 command see http://www.openssl.org/docs/apps/pkcs12.html or http://www.drh-consultancy.demon.co.uk/pkcs12faq.html

Generating PKCS#12 files

In my case the following command line parameters will be used.

  • -in filename
    This specifies the filename of the PKCS#12 file to be parsed. Standard input is used by default.
  • -out filename
    The filename to write certificates and private keys to, standard output by default. They are all written in PEM format.
  • -export
    The export option specifies that a PKCS#12 file will be generated (rather than parsed).
  • -inkey
    The inkey option can be followed by the filename of the private key to use. By default this is read from the input file: using the inkey option you can specify a separate file.
  • -certfile filename
    certfile is followed by the filename of an additional certificate file to loaded. It just includes all the certificates in the file ( in this case the CA public key who signed my certificate )
  • -name "value"
    The name option determines the certificate "friendly name". This is the name that appears in the listbox for Netscape. If you omit the name option then some versions of Netscape will prompt for the name to use: this might be preferable. Unfortunately if you omit the name option in some older versions of MSIE it will refuse to import the file. For MSIE you should use a unique name for each PKCS#12 file imported: this is because the private key is stored under this name and may be silently overwritten if the given name already exists.

The actual command line

openssl.exe  pkcs12 -export -in www.domain.com.crt -inkey www.domain.com.key -certfile www.domain.comcabundle -name "www.domain.com" -out MyNewCertificate.p12

Running this produces very little output but you will be prompted to enter a password as shown below

That is it all done.

The p12 file is a binary file so no point looking inside it now.


Enabling SSL on IIS 7.0 Using Self-Signed Certificates

Scott Guthrie has an article on using Self Signed Certificates with IIS and how to enable it in under 30 seconds.

Here is a primer...

SSL enables browsers to communicate with a web-server over a secure channel that prevents eavesdropping, tampering and message forgery.  You should always use SSL for login pages where users are entering usernames/passwords, as well as for all other sensitive pages on sites (for example: account pages that show financial or personal information). 

Configuring SSL on Windows with previous versions of IIS has been a pain.  Figuring out how to install and manage a certificate, and then associate it with a web-site, is something I bet most web developers don't know how to enable.

The good news is that IIS 7.0 makes it radically easier to configure and enable SSL.  IIS 7.0 also now has built-in support for creating "Self Signed Certificates" that enable you to easily create test/personal certificates that you can use to quickly SSL enable a site for development or test purposes. 

Using IIS 7.0 you can SSL enable an existing web site in under 30 seconds.  The below tutorial demonstrates how to-do this.

For the rest of the article see his article at http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-certificates.aspx

 


Microsoft releases a new download center for IIS (everything in one place)

DownloadCENTER for IIS.net has been released! 

The DownloadCENTER at IIS.net, is a community hotspot for discovering, sharing, reviewing and promoting IIS-related solutions in a single place.  Dozens of existing downloads, for all versions of IIS – both from Microsoft and the community – are already available in DownloadCENTER today. 

This new feature of IIS.net is particularly relevant with the release of IIS7 in Windows Vista.  The latest release of Microsoft’s Web server has a completely modular architecture which features over forty pluggable components that can be easily added, removed or even replaced with custom implementations. 

This powerful extensibility support is available to both .NET and C/C++ developers.  In the future, DownloadCENTER is expected to house a large number of IIS7 extensions submitted by not only the IIS team but the developers and partner ISVs of the IIS community as well.

To learn more about the DownloadCenter, read IIS Product Unit Manager, Bill Staples’ blog post about it or check it out yourself today!

 


Microsoft IIS tools have been updated...

Microsoft has released the January 2006 IIS toolkit.

  • Fetch 1.4:  Remove the browser from scenario and make raw custom HTTP/S requests to your IIS Web Server
  • Debug Diagnostics 1.0:  Track down problems with IIS Crashes, Hangs, or Memory Leaks using this tool
  • Trace Diag:  This is a combined toolset aimed at helping users of Windows Server 2003 Service Pack 1’s tracing easier.  It includes IISREQMON, IISTRACE for the command-line and IIS Request Viewer (User Interface) and installs only on SP 1 and higher versions of Windows. 

This release also included some updates to SSLDiag to version 1.1.  This included support for the following:

  • Service Pack 1’s Host Header support for SSL
  • SelfSSL complete functionality on the command-line (ssldiag /selfssl)
  • Limit diagnostics with User Interface to single site (for use on large or specific diagnostic situations – ssldiag /s:<siteid>)

 **Important:  Log Parser 2.2, SMTPDiag 1.0, and AuthDiag 1.0 were unchanged in this release.

 

For details about each platform, please use the following URL:

 

  (x86) Landing: http://www.microsoft.com/downloads/details.aspx?FamilyID=9BFA49BC-376B-4A54-95AA-73C9156706E7&displaylang=en

  (x64) Landing: http://www.microsoft.com/downloads/details.aspx?FamilyID=7e42b310-b2d1-496b-8005-9d91782b9995&DisplayLang=en

  (ia64) Landing: http://www.microsoft.com/downloads/details.aspx?FamilyID=13c1c5e5-592c-45bc-b5bb-c486b43eb539&DisplayLang

 


IIS Diagnostics Kits

The IIS Diagnostics Toolkit is a combined release of popular tools used by today's IIS users. These tools include tools aimed at resolving problems related to Secure Socket Layer (SSL) issues, permission or security problems, gathering data for your SMTP server included with IIS, as well as the famous Log Parser utility used to sift through hundreds or thousands of log files very quickly.

The toolkit consolidates all the tools into a convienant download and is supplemented by updates every 90-days to ensure that users have the most current diagnostics tools at their fingertips.

For more details see:
http://www.microsoft.com/downloads/details.aspx?FamilyID=9bfa49bc-376b-4a54-95aa-73c9156706e7&DisplayLang=en


Authentication and Access Control Diagnostics 1.0 (more commonly known as AuthDiag) is a tool released by Microsoft aimed at aiding IT professionals and developers at more effectively finding the source of authentication and authorization failures.

These users have often seen behavior from Internet Information Services (IIS) that doesn't seem appropriate or random when users authenticate to the IIS server. The complex world of authentication types and the various levels of security permissions necessary to allow a user to access the server causes many hours of labor for those tasked with troubleshooting these problems.

AuthDiag 1.0 offers a robust tool that offers a efficient method for troubleshooting authentication on IIS 5.x and 6.0. It will analyze metabase configuration and system-wide policies and warn users of possible points of failure and guide them to resolving the problem. AuthDiag 1.0 also includes a robust monitoring tool called AuthMon designed at capturing a snapshot of the problem while it occurs in real-time. AuthMon is robust and specially designed for IIS servers removing any information not pertinent to the authentication or authorization process.

For more details see:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e90fe777-4a21-4066-bd22-b931f7572e9a&DisplayLang=en


A common problem for administrators of IIS servers is configuring and troubleshooting SSL enabled websites. To assist in administrators efforts, Microsoft has designed a tool - SSL Diagnostics - to aid in quickly identifying configuration problems in the IIS metabase, certificates, or certificate stores.

This tool allows users to review configuration information in a easy to read view mode or to run the tool silently with only the creation of a log file. During use, administrators can simulate the SSL handshake to find errors. They can also quickly "hot swap" certificates for testing purposes.

These packages come in two forms: Express and Full. The express will only give the pertinent tools for administrators to use SSL Diagnostics while full install installs the same files with the appropriate documentation. Included in the full install is a SSL Frequently Asked Questions that can assist in the learning of SSL for administrators

For more details see:
http://www.microsoft.com/downloads/details.aspx?FamilyID=cabea1d0-5a10-41bc-83d4-06c814265282&DisplayLang=en


The IIS 6.0 Resource Kit Tools can help you administer, secure, and manage IIS. Use them to query log files, deploy SSL certificates, employ custom site authentication, verify permissions, troubleshoot problems, migrate your server, run stress tests, and more.

The following tools are available in this package:

  • IIS 6.0 Migration Tool Version 1.0 Version 1.1 Now Available!
  • Apache to IIS 6.0 Migration Tool Version 1.0
  • CustomAuth Version 1.0
  • IISCertDeploy.vbs Version 1.0
  • IIS Host Helper Service Version 1.0
  • IISState Version 3.0
  • Log Parser Version 2.1 Version 2.2 Now Available!
  • Metabase Explorer Version 1.6
  • Permissions Verifier Version 1.0
  • RemapUrl Version 1.0
  • SelfSSL Version 1.0
  • TinyGet Version 5.2
  • Web Capacity Analysis Tool Version 5.2
  • WFetch Version 1.3

For more details see:
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en


IIS SSL Diagnostics Version 1.0
A common problem for administrators of IIS servers is configuring and troubleshooting SSL enabled websites. To assist in administrators efforts, Microsoft has designed a tool - SSL Diagnostics - to aid in quickly identifying configuration problems in the IIS metabase, certificates, or certificate stores.

This tool allows users to review configuration information in a easy to read view mode or to run the tool silently with only the creation of a log file. During use, administrators can simulate the SSL handshake to find errors. They can also quickly "hot swap" certificates for testing purposes.

These packages come in two forms: Express and Full. The express will only give the pertinent tools for administrators to use SSL Diagnostics while full install installs the same files with the appropriate documentation. Included in the full install is a SSL Frequently Asked Questions that can assist in the learning of SSL for administrators.