SSL certificates generated by SelfSSL7 are failing. Any ideas?

windows ssl

Solution 1:

Instead of using SelfSSL7, I tried using the internal "makecert" tool and I didn't have any problems with the certificates it generated.

This is the command to create a certificate, install it only to the "MY" (Personal) certificate store on the current machine, and also output it to a CER file for use on other machines.

The makecert utility for me was found at C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\x64

makecert.exe -r -pe -a SHA256 -ss my -sr LocalMachine -n "CN="app.test.local -b 01/01/2011 -e 01/01/2050 -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 app.test.local.cer

Hope that helps someone.

Solution 2:

I have noticed that as I step through applying the 3 certificates, the last certificate applied is fine and any previous certificates are invalidated. I have also noticed that all of the certificates have the same "Unique Container Name". Could this be causing my problem?

I think you've hit the nail on the head here. The "unique container name" is the filename of a "key container" located at C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. As far as I can tell, a key container is a wrapper for a public/private key. You can inspect the files in this folder as you run SelfSSL, and you will see that the modified date for the file corresponding to the "unique container name" updates every time you run SelfSSL. (BTW, opening this file with a text editor will let you see the logical name of the container, in this case it is "SELFSSL".

So SelfSSL seems to be written to re-use the same key container every time it is run, which would mean creating a new public/private key. I think that the implication is that any public key left hanging around after SelfSSL has been run again has no private key (it may think it has a private key, but the key container no longer has its cryptographically corresponding private key.

In my case, this is leading to all HTTPS requests to a site bound to those previous certificates to fail with a server connection reset. Inside the event viewer I'm seeing "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960."

(I'm using SelfSSL, but it seems to be the same problem as you're seeing with SelfSSL7)

Related

Active Directory and OpenLDAP synchronization
Modifying grub.conf file in linux
Forcing Dovecot to use SSL
Schannel: Certificate received from the remote server was issued by an untrusted certificate authority
Disable "shared terminal" behavior with Ubuntu 11.10 on EC2?
Debian Samba server reports free size of root drive, not all drives
Monitoring Active Directory (AD) Replication in Windows Server 2008 R2
How Amazon ELB Health check Works?
PROPFIND requests from a Microsoft-WebDAV-MiniRedir/6.0.6002 user agent on Apache server where Samba is also running
Windows File Cache drops suddently
Is there a performance difference between using local drives and equivalent UNC paths?
Optimize number of workers for several gunicorn instances