Recently I noticed a similar problem: I couldn't import a certificate to Key Manager
(but the request was generated in the Key Manager, not with OpenSSL). The problem
symptom was incorrect password too.
The solution was to open the certificate in Notepad (or other ASCII application) and
delete all the "human readable" lines before "--- BEGIN CERTIFICATE ---". Everything
went smoothly then.
I hope it helps.
Ivan
---
Get my Certificate Authority's certificate at http://www.vsb.cz/CA/
----- Original Message -----
From: "Dearnaley (EXT), Roger" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, September 09, 2000 11:35 PM
Subject: Using openssl to generate keys for IIS
> I would like to use openssl to generate keys and certificates for import
> into Microsoft IIS 4.0 (since IIS only produces keys with up to 1024-bit RSA
> moduli).
>
> I seem to have all the key generation and signing stuff working, the problem
> is when I go to import the key and certificate into IIS. The IIS 4.0 Key
> Manager has an option Key/Inport Key.../KeySet Files which it claims will
> "Import Key Pairs generated with tools other than Key Manger" (yes, with
> typo). I assume that it takes PEM files, since IIS 4.0 generates PEM
> certificate requests and will import PEM certificates. When I go to tell it
> to import the PEM key and certificate files I generated with openssl, it
> asks me for a password. The request I generated the certificate from didn't
> include a 'challenge password' (from taking a look at one using openssl req,
> it appears that IIS-generated certificate requests don't, so I turned it off
> in the req config settings), so presumably they are asking for the password
> the key file is encrypted with. But when I give it that, it then says
> "Unable to install the certificate because you did not enter the correct
> password. SChannel error = 80090304". I have tried this with the key
> encrypted in DES, DES3, IDEA, and unencrypted (the Key Manager still asked
> for a password when the key was unencrypted), and so far nothing has worked.
> I'm rapidly running out of ideas for what to try next. From looking at them
> with openssl, the only differences between the request and certificate I
> generated and those that IIS and Verisign generated and that I installed
> successfully are that I'm using a larger RSA modulus length than the 1024
> limit IIS will produce, and that I'm using SHA1 signing not the MD5 that IIS
> uses.
>
> Does anyone here know anything about the IIS Import KeySet file facility? Do
> you have any idea what I might need to do to make it work? The Microsoft
> Help documentation on this feature is non-existent.
>
> --Roger Dearnaley <[EMAIL PROTECTED]>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
smime.p7s
