question

MattGates-7914 avatar image
0 Votes"
MattGates-7914 asked VahidHasani-7230 edited

SSL certificate import issue within IIS on window 2016 server

Hi, all. Hopefully I'm posting this to the right group.

As of the 19th April we are experiencing problems importing SSL certificates into IIS. We have three 2016 Windows servers and this issue is happening on all three. 

We get the error below when importing after adding the password.

194759-iss-ssl.jpg

Done all the obvious stuff re checking passwords etc.

This has happened now on three separate domain SSL's.

We are using GEO Trust Quick SSL Premium SSL's. 

Our hosting company have the same problem when they tried, they don't have a solution either. 

We are assuming this might have been caused by a recent Windows update?

Anyone have any ideas or experienced this?


windows-server-2016windows-server-iis
iss-ssl.jpg (56.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BruceZhang-MSFT avatar image BruceZhang-MSFT ·

Hi @MattGates-7914 ,

The image you show cannot provide detailed error message. It just show error occurred but doesn't explain what error it is.

First make sure that the certificate you import is .pfx file not others. Then try to import it through MMC not IIS. because a third-party registry sub key exists that prevents IIS from accessing the cryptographic service provider. Please import icertificate to local computer and personal, not only personal.
194787-1.png


0 Votes 0 ·
1.png (232.1 KiB)

3 Answers

MattGates-7914 avatar image
0 Votes"
MattGates-7914 answered BruceZhang-MSFT commented

Hi,

Thanks for coming back to me I appreciate your help.

I have tried importing the .pfx certificate into MMC directly, it won't accept the password. The password is definitely correct, I have done this many times.

Please see the screenshot below.

195132-mmc-ssl.jpg



mmc-ssl.jpg (90.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BruceZhang-MSFT avatar image BruceZhang-MSFT ·

Hi @MattGates-7914 ,

How you get the certificate? What I mean is if it is a self-signed certificate, or you get it from any CA provider?

Some certificates have private keys encrypted by AES256 but older versions of Windows do not support it. So please check how you encrypt the password or confirm it with CA provider.

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello MattGates,

This may be related to a change in permissions at the NTFS level on the storage where IIS is installed.

I will recommend you to follow the steps on this troubleshooting guide:

https://docs.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/cannot-import-ssl-pfx-local-certificate


Hope this helps with your query,

--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MattGates-7914 avatar image
0 Votes"
MattGates-7914 answered VahidHasani-7230 edited

Hi,

Thanks for your answer. This didn't help unfortunately.

We have three 2016 servers all have the same problem trying to import GEO Trust certificates created via our IONOS admin. They import older valid certificates created last month just not new ones created this week.

The new certificates work on our other 2018 windows server. So this seems to be a problem with 2016 windows servers and certificates created this week.

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RyGa avatar image RyGa ·

Hi MattGates,

Have you found a fix for the problem you described. We have the exact same issue the last week or so.
Like you, ionos is our server host.

Older, previously generated pfx files work fine, it is only the new files that are the problem.

In the meantime we have a workaround. The pfx files can be imported to a local windows 10 iis environment, marking them as exportable. you then export a new pfx from the w10 system. The new pfx will then import on the Windows 2016 server prefectly.

0 Votes 0 ·
VahidHasani-7230 avatar image VahidHasani-7230 RyGa ·

This problem is due to the type of encryption.
If you set type of encryption on AES256-SHA256 when creating the file, you will encounter the wrong password problem in before versions of windows server 2019.

216348-screenshot-2022-06-30-102043.jpg




0 Votes 0 ·
screenshot-2022-06-30-102043.jpg (32.9 KiB)