SelfSSL Utility - Not working? -- iis security

Jason Brown [MSFT]
4/20/2005 12:00:00 AM

Is that the EXACT command line you used? because there's an error or two

yours:
selfssl.exe /NCN=MySSL /K:1024 /Vv:7 /S:1 /P:443
mine:
selfssl.exe /N:CN=MySSL /K:1024 /V:7 /S:1 /P:443

--
Jason Brown
Microsoft GTSC, IIS

This posting is provided "AS IS" with no warranties, and confers no rights.

[quoted text, click to view]

Jason Brown [MSFT]
4/20/2005 12:00:00 AM

OK, so you did enter a correct command, fair enough. what about if you run
it in default state?

just

selfssl.exe

?

it should use the netbios name of the machine as the cn, as well as 1024
length, site 1, port 443

--
Jason Brown
Microsoft GTSC, IIS

This posting is provided "AS IS" with no warranties, and confers no rights.

[quoted text, click to view]

David Wang [Msft]
4/20/2005 11:20:53 PM

SelfSSL is not going to work for your particular scenario.

It is going to generate a self-signed certificate that is not trusted by any
client, meaning that your users will see warning dialogs popup. This is
by-design of how SSL works -- no way around it. SelfSSL is best used for
testing purposes as well as when you control both client and server to get
free SSL. It is not suitable for any other sort of usage because browsers
will all pop up a warning dialog.

I suggest you use the same SSL certificate on both servers simultaneously
during the DNS migration. Your old and new servers both have the same name
and everything (so that they can continue to use the same SSL certificate --
else browsers will popup warning dialogs), so it is purely a matter of DNS
that determines which one responds.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
[quoted text, click to view]
I just downloaded the SelfSSL for the IIS 6.0 resource kit and ran the
following command line: selfssl.exe /NCN=MySSL /K:1024 /Vv:7 /S:1 /P:443

I got a message that it was successful however when I go in to "Directory
Security" for my in IIS, the "View Certificate" is grayed out. I also get a
page not found when I try to hit my website using https:// with my IP
address
since we have not change the DNS yet.

I am setting this up to A). Test to see if it works and B). We are migrating
our server and do not want to transfer our current certificate to the new
server until DNS has finished propagating. The thought here is some users
will hit one server while others will hit the new one allowing for secure
transactions on both severs simultaneously and eliminate down time .

So I would like to know how I can verify the SelfSSL installed correctly and
works. or if there is another method I should be using for this migration,

Thanks - Jody

Jason Brown [MSFT]
4/21/2005 12:00:00 AM

Just to wade in with an opinion - it won't work for the purposes of
verifying the webiste is owned by blahblahblah.com, however if you intention
is just to encrypt the traffic over the wire, it'll still work. the OP
mentioned it's just for a transitional period. Sure, the dialog will show
up, but this isn't a big deal in testing/interim/controllable environments.

This doesn't equate to "not going to work". Semantics, perhaps, but there
you go.

[quoted text, click to view]

Jody
4/21/2005 9:44:37 AM

David - This is what we ended up doing and it worked fine. Thanks everyone
for your input. I learned a lot. - Jody

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages about iis security

iis security : SelfSSL Utility - Not working?