BUG: SelfSSL allows only one website to have SSL at a time

re: BUG: SelfSSL allows only one website to have SSL at a time

Paul Carrig — Sat, 30 Apr 2005 22:33:21 GMT

I read a post stating there was no workaround for the SelfSSL certificates only working for the last generated certificate (http://groups-beta.google.com/group/microsoft.public.inetserver.iis.security/browse_frm/thread/476598ea35f6f09a/5fc0a957c1c0f655?q=selfssl+multiple+known+issue&rnum=1&hl=en#5fc0a957c1c0f655).

I recently encountered the issue and successfully implemented a workaround. Please let me know if I've missed something obvious here....

1 - create certificate for site 1
2 - export the certificate to a pfx file (IIS->directory security->server certificate wizard)
3 - create certificate for site 2. First site's certificate should no longer work
4 - remove certificate from site 1
5 - import pfx from step 2 using same wizard

SSL on both sites should now work!

As I've not seen the workaround posted elsewhere, I'm sharing it the hope of it making it easier for others encountering the same issue....

MSDE SelfSSL = asking for trouble

Ben Cartwright's Technology Blog — Wed, 27 Jul 2005 06:39:51 GMT

MSDE SelfSSL = asking for trouble

Ben Cartwright's Technology Blog — Wed, 27 Jul 2005 06:41:41 GMT

MSDE SelfSSL = asking for trouble

Ben Cartwright's Technology Blog — Wed, 27 Jul 2005 06:41:57 GMT

MSDE SelfSSL = asking for trouble

Ben Cartwright's Technology Blog — Wed, 27 Jul 2005 06:43:58 GMT

MSDE SelfSSL = asking for trouble

Ben Cartwright's Technology Blog — Wed, 27 Jul 2005 06:45:13 GMT

MSDE SelfSSL = asking for trouble

Ben Cartwright's Technology Blog — Wed, 27 Jul 2005 06:46:36 GMT

MSDE SelfSSL = asking for trouble

Ben Cartwright's Technology Blog — Wed, 27 Jul 2005 06:47:14 GMT

SelfSSL and Site ID

David Truxall — Mon, 08 Aug 2005 23:00:21 GMT

SelfSSL is a tool found in the IIS 6.0&nbsp;Resource Kit. It allows you to generate SSL certificates...

re: BUG: SelfSSL allows only one website to have SSL at a time

Arjan — Thu, 26 Jan 2006 13:11:33 GMT

David,

I just downloaded and installed the latest IIS Resource Toolkit with a modify date of 20 januari 2006. But the bug in SelfSSL is still there. Can you tell me where I can find the right version of SelfSSL without the BUG.

Kind Regards,
Arjan.

re: BUG: SelfSSL allows only one website to have SSL at a time

David Wang — Thu, 26 Jan 2006 16:27:30 GMT

Arjan - IIS Resource Toolkit cannot be updated, so this bug in SelfSSL will be there forever.

I suggest download the IIS Diagnostics Toolkit which has SelfSSL with updates integrated into the SSL Diagnostics commandline.

http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx

//David

re: BUG: SelfSSL allows only one website to have SSL at a time

Mark Minasi — Thu, 09 Feb 2006 17:47:43 GMT

Hey David --

I've found SelfSSL helpful and tell many people about it. I didn't know about the bug or the fix, so here's just a note to say thanks!

Mark Minasi

re: BUG: SelfSSL allows only one website to have SSL at a time

David.Wang — Sun, 12 Feb 2006 13:35:33 GMT

Mark - you're welcome!

You won't hit the bug until you try to enable SSL on >1 websites on the IIS server... but that has been fixed and incorporated into SSLDiag 1.1, a part of IIS Diagnostics Toolkit

http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx

//David

re: BUG: SelfSSL allows only one website to have SSL at a time

Stuart — Tue, 28 Feb 2006 19:53:43 GMT

David,

We are trying to get a Paml Treo 700W to go on our exchange server, and I need to export the public certificate AND the publisher's certificate to the Palm to get this to work. I can easily get the public and private cert, but would you know how I could get the publisher's cert from a previous SelfSSL run?

Perhaps this post that I found will explain what I need more clearly:
-------------------------------------------------------------
So, there has been a decent amount of rumblings about the new Palm Treo 700w from Verizon Wireless (running Windows Mobile 5.0) - and it's apparent inability to sync with SBS.

Sean has a good post outlining how Windows Mobile 5.0 has changed how it handles certificates. The good news is that if you're using self-signed certificates with your SBS, you can get your Treo 700w to sync wirelessly with your Exchange server. As proof, I just did this myself - configured a new 700w for one of our internal users to sync with our SBS, and we're using a self-signed certificate.

The trick is to install both your self-signed certificate ( \\<your_sbs\ClientApps\SBSCert ) AND your CA certificate (publishing.company.local - check out \CertEnroll">\\<your_sbs>\CertEnroll ). Copy these two .cer files to your device using ActiveSync. Then on your device, use FileExplorer to browse to the folder where you copied the certs, and double-click to install each. Voila! You're good to go . . .

Now, there has been some talk that WM5 doesn't trust as many Certification Authorities (CAs) as regular ol' Windows. As a result, if you have purchased an SSL cert from a CA, there is a chance that CA may not be trusted by WM5. In that case, you're not going to be able to sync with your Exchange, since you won't have access to the CA cert to manually install it on your WM5 device. However, you could always convert to a self-signed cert and get it to work that way.

From:

http://msmvps.com/blogs/cgross/archive/2006/01/19/81475.aspx

Thanks,

Stu

re: BUG: SelfSSL allows only one website to have SSL at a time

David.Wang — Thu, 02 Mar 2006 14:01:32 GMT

Stuart - On the server that ran selfssl, you should find the self-signed certificate used by the server for SSL under "Personal Certificates" for "Local Computer" and the CA cert which signed the self-signed certificate under "Trusted Root" for "Local Computer".

I do not see why one needs to install the self-signed certificate (this belongs to the server and is sent to the client during SSL handshake) onto the mobile device. You only need to install the self-signed certificate into the Trusted Root on the mobile device to allow it to trust the self-signed certificate when it communicates with the server over SSL.

//David

SelfSSL headaches

Alert: [object] — Fri, 09 Feb 2007 03:47:47 GMT

In development and test, you often need to configure a site (or a portion of a site) to run under...

re: BUG: SelfSSL allows only one website to have SSL at a time

Ilia Broudno — Fri, 20 Apr 2007 00:39:13 GMT

I was wondering if you could provide some incite into the nature of that bug.

We have a very similar sounding problem on production with real certs from trusted providers.

A second question: I tried using the SSLDiag and it worked - the bug in question did not come up.

But the certs it creates are only valid for 2 weeks and have the same CN.

What I was hopping to get are 2 certs with different names valid for a couple of years.

Is there anything I can do to tweak either what selfSSL or SSLDiag does to get what I want?

re: BUG: SelfSSL allows only one website to have SSL at a time

Tray_Harrison — Thu, 13 Dec 2007 23:33:58 GMT

I have the same question as Ilia. SSL Diag did fix the issues I was having with tryin to run to SelfSSL certs on the same server. The problem is I can't find a way to configure the certificate validity length with SSL diag. I really don't want to have to go in and renew the certs on our test sites every 2 weeks. Is there a way to configure this?

re: BUG: SelfSSL allows only one website to have SSL at a time

Snorre Garmann — Thu, 28 Feb 2008 13:09:53 GMT

You can run ssldiag from commandline the same way as selfssl:

ssldiag /selfssl /V:365 /N:CN=myserverdnsrecord /S:123455646

The only feature I cannot figure out how to fix is the /T:

re: BUG: SelfSSL allows only one website to have SSL at a time

Matthew Bauer — Mon, 28 Apr 2008 18:55:19 GMT

Paul - thanks for the fix - it works for me.

re: BUG: SelfSSL allows only one website to have SSL at a time

Eila — Thu, 17 Jul 2008 23:42:08 GMT

How can i retrieve the self signed certificate hash using c/c++

thanks,

Eila

re: BUG: SelfSSL allows only one website to have SSL at a time

Javier — Wed, 21 Jan 2009 01:04:53 GMT

Thank you!!!

Three years later and still helpful.

re: BUG: SelfSSL allows only one website to have SSL at a time

David Liu — Thu, 12 Nov 2009 04:26:03 GMT

Thanks. This blog helped to resolve my issue with selfSSL.