I would like to use openssl to generate keys and certificates for import
into Microsoft IIS 4.0 (since IIS only produces keys with up to 1024-bit RSA
moduli).
I seem to have all the key generation and signing stuff working, the problem
is when I go to import the key and certificate into IIS. The IIS 4.0 Key
Manager has an option Key/Inport Key.../KeySet Files which it claims will
"Import Key Pairs generated with tools other than Key Manger" (yes, with
typo). I assume that it takes PEM files, since IIS 4.0 generates PEM
certificate requests and will import PEM certificates. When I go to tell it
to import the PEM key and certificate files I generated with openssl, it
asks me for a password. The request I generated the certificate from didn't
include a 'challenge password' (from taking a look at one using openssl req,
it appears that IIS-generated certificate requests don't, so I turned it off
in the req config settings), so presumably they are asking for the password
the key file is encrypted with. But when I give it that, it then says
"Unable to install the certificate because you did not enter the correct
password. SChannel error = 80090304". I have tried this with the key
encrypted in DES, DES3, IDEA, and unencrypted (the Key Manager still asked
for a password when the key was unencrypted), and so far nothing has worked.
I'm rapidly running out of ideas for what to try next. From looking at them
with openssl, the only differences between the request and certificate I
generated and those that IIS and Verisign generated and that I installed
successfully are that I'm using a larger RSA modulus length than the 1024
limit IIS will produce, and that I'm using SHA1 signing not the MD5 that IIS
uses.
Does anyone here know anything about the IIS Import KeySet file facility? Do
you have any idea what I might need to do to make it work? The Microsoft
Help documentation on this feature is non-existent.
--Roger Dearnaley <[EMAIL PROTECTED]>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
