iis security: For testing purposes I need to install a certificate on a development box. I
generated a certificate using instructions found at this site:
http://www.aspnetpro.com/newsletterarticle/2006/10/asp200610mb_l/asp200610mb_l.asp

but I changed the command line slightly because I'm not using localhost nor
am I using the machine name, rather I want to use the full, internal domain
name:

makecert -r -pe -n "CN=mysite.dev.mydomain.com" -ss my -sr currentuser -sky
exchange -sp "Microsoft RSA SChannel Cryptographic Provider" -sy 12
C:\Temp\mycert.cer

I then followed the instructions of logging on to the dev box, importing the
certificate into both the Personal store and the Trusted Root Certification
Authorities store, and then going into IIS to assign the certificate to my
site. Here's where I have the problem. When I go into the IIS Certificate
Wizard and choose the "Assign an existing certificate" button, on the next
page (Available Certificates) I am presented with an empty list. Everything
I have read about this process always seems to assume that there will be
SOMETHING in the list and never discusses what might cause the list to be
empty. I found a total of ONE post from someone who had a similar problem 5
years ago but there was no resolution.

Any ideas? I thought maybe a dotted name was not allowed under CN (because I
know NOTHING about this), but I made a new cert with just the machine name,
installed it, and I still have an empty list of available certificates.

[quoted text, click to view]

I skipped over one line of the instructions that had me add the certificate
snap-in a second time for the computer account. Importing the certificate
under this account solved the problem.

Yes, you have to remember that the service runs as the "computer" and
not as "you", thus you need to import the certificates into the
"computer's" store and not "your" store. After all, why should one user
be able to access another user's private certificate store? That would
destroy the entire security model of certificates - that the private
keys are private.

You can also use a tool like SelfSSL from the "IIS Resource Kit Tools"
or "IIS Diagnostics Toolkit" (both freely available for download from
microsoft.com) to do this task with minimal hassle. You just need to
run that one command and voila, you have an SSL-enabled website.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//



[quoted text, click to view]