a) To view certs that IIS can use you need to manually run MMC, add the
Certificates snapin, point it to the Machine account, and then look in the
Personal Certificate Store. By default, if you use the Certificates MMC
Admin tool that is in the Administrative Tools folder, it looks in your
*personal* store (i.e. for your user account) not for the machine account
b) XP can generate certs itself. Just use a tool that creates self-signed
certificates (SelfSSL, OpenSSL etc). But I don't think this is what you want
to do.
c) You say you have a CA handy already. If you want a certificate from that
CA, then there's no need to join a domain and auto-enroll. Run through the
wizard in IIS to create a certificate request (CSR) file, or generate your
own using certreq.exe. Then, submit that CSR to your CA
(http://servername/certsrv if you have the Certificate Services website
installed on the CA, or use the Certification Authority MMC Snapin). After
issueing your cert, install it onto the IIS website on your XP box.
None of this really has anything to do with IIS per se. it's all provided by
the underlying certificate management infrastructure in the OS. You just
need to know a little how PKI and the certificate stuff works, and then it
all becomes much easier to make this all work.
Cheers
Ken
[quoted text, click to view] "Ming Dragon" <Ming Dragon@discussions.microsoft.com> wrote in message
news:66A6AF2D-C93B-431B-B2D5-F4747F43F6B7@microsoft.com...
> I recently did a system restore to recover from a driver installation
> catastrophic failure for my ATi video. (System Restore is a real MONSTER
> in a
> closet) In this process I ended up without an SSL Server Certificate for
> IIS
> 5.1. It installed fine when I built the machine and served its purpose for
> quite some time. What's so peculiar is that I can't find it in the stores
> or
> anything. My personal encrypting file cert is there and that's it. I don't
> want to join a domain to get a cert. I failed to generate a new cert using
> every scheme I can come up with.
> How do I generate a cert for my server, please. (Don't let it be the
> dreaded uninstall and reinstall dance please, please, please...) I have a
> Root Cert Auth in the closet and the Subordinate Cert right next to this
> machine, and I know how easy it would be to just join and autoenroll, but
> I
> should be able to generate a cert somehow on XP Pro, shouldn't I ? Can't
> it
> do even that piddly little thing ? I would think that to be shamefull that
> XP
> Pro can't generate a vald self cert somehow. I don't really have any
> experience with this stuff. But, all the buttons are greyed out in the
> security tab for the website except the one that generates a text file or
> request for certificate. All the behaviors I expect don't happen.
PS
If you want to see what, if any, cert, IIS is currently configured to use,
then follow the steps here:
http://www.adopenstatic.com/cs/blogs/ken/archive/2007/05/12/5050.aspx Cheers
Ken
[quoted text, click to view] "Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:%23$i3BZsZIHA.3400@TK2MSFTNGP03.phx.gbl...
> a) To view certs that IIS can use you need to manually run MMC, add the
> Certificates snapin, point it to the Machine account, and then look in the
> Personal Certificate Store. By default, if you use the Certificates MMC
> Admin tool that is in the Administrative Tools folder, it looks in your
> *personal* store (i.e. for your user account) not for the machine account
>
> b) XP can generate certs itself. Just use a tool that creates self-signed
> certificates (SelfSSL, OpenSSL etc). But I don't think this is what you
> want to do.
>
> c) You say you have a CA handy already. If you want a certificate from
> that CA, then there's no need to join a domain and auto-enroll. Run
> through the wizard in IIS to create a certificate request (CSR) file, or
> generate your own using certreq.exe. Then, submit that CSR to your CA
> (http://servername/certsrv if you have the Certificate Services website
> installed on the CA, or use the Certification Authority MMC Snapin). After
> issueing your cert, install it onto the IIS website on your XP box.
>
> None of this really has anything to do with IIS per se. it's all provided
> by the underlying certificate management infrastructure in the OS. You
> just need to know a little how PKI and the certificate stuff works, and
> then it all becomes much easier to make this all work.
>
> Cheers
> Ken
>
>
> "Ming Dragon" <Ming Dragon@discussions.microsoft.com> wrote in message
> news:66A6AF2D-C93B-431B-B2D5-F4747F43F6B7@microsoft.com...
>> I recently did a system restore to recover from a driver installation
>> catastrophic failure for my ATi video. (System Restore is a real MONSTER
>> in a
>> closet) In this process I ended up without an SSL Server Certificate for
>> IIS
>> 5.1. It installed fine when I built the machine and served its purpose
>> for
>> quite some time. What's so peculiar is that I can't find it in the stores
>> or
>> anything. My personal encrypting file cert is there and that's it. I
>> don't
>> want to join a domain to get a cert. I failed to generate a new cert
>> using
>> every scheme I can come up with.
>> How do I generate a cert for my server, please. (Don't let it be the
>> dreaded uninstall and reinstall dance please, please, please...) I have a
>> Root Cert Auth in the closet and the Subordinate Cert right next to this
>> machine, and I know how easy it would be to just join and autoenroll, but
>> I
>> should be able to generate a cert somehow on XP Pro, shouldn't I ? Can't
>> it
>> do even that piddly little thing ? I would think that to be shamefull
>> that XP
>> Pro can't generate a vald self cert somehow. I don't really have any
>> experience with this stuff. But, all the buttons are greyed out in the
>> security tab for the website except the one that generates a text file or
>> request for certificate. All the behaviors I expect don't happen.
>
Don't see what you're looking for? Try a search.
