SSL certificates generated by SelfSSL7 are failing. Any ideas?
Solution 1:
Instead of using SelfSSL7, I tried using the internal "makecert" tool and I didn't have any problems with the certificates it generated.
This is the command to create a certificate, install it only to the "MY" (Personal) certificate store on the current machine, and also output it to a CER file for use on other machines.
The makecert utility for me was found at C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\x64
makecert.exe -r -pe -a SHA256 -ss my -sr LocalMachine -n "CN="app.test.local -b 01/01/2011 -e 01/01/2050 -eku 1.3.6.1.5.5.7.3.1 -sky exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12 app.test.local.cer
Hope that helps someone.
Solution 2:
I have noticed that as I step through applying the 3 certificates, the last certificate applied is fine and any previous certificates are invalidated. I have also noticed that all of the certificates have the same "Unique Container Name". Could this be causing my problem?
I think you've hit the nail on the head here. The "unique container name" is the filename of a "key container" located at C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. As far as I can tell, a key container is a wrapper for a public/private key. You can inspect the files in this folder as you run SelfSSL, and you will see that the modified date for the file corresponding to the "unique container name" updates every time you run SelfSSL. (BTW, opening this file with a text editor will let you see the logical name of the container, in this case it is "SELFSSL".
So SelfSSL seems to be written to re-use the same key container every time it is run, which would mean creating a new public/private key. I think that the implication is that any public key left hanging around after SelfSSL has been run again has no private key (it may think it has a private key, but the key container no longer has its cryptographically corresponding private key.
In my case, this is leading to all HTTPS requests to a site bound to those previous certificates to fail with a server connection reset. Inside the event viewer I'm seeing "A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 20. The Windows SChannel error state is 960."
(I'm using SelfSSL, but it seems to be the same problem as you're seeing with SelfSSL7)