Home All Groups Group Topic Archive Search About

RE: How to create a client side certificate on a Windows 2000 Serv

microsoft.public.inetserver.iis.security
Author
19 Mar 2005 6:55 PM
Abel Chan
Hi WenJun,

Yes, I did select the Computer account' store.
I took your suggestion and also instead the certificate into BizTalk
Personal and Trusted store.  But I still get the same error.

When I double-click the isntalled certificate in Personal store, I don't see
a 'You have a private key...' message.

Should a call MS and open a support instance?

Abel Chan



""WenJun Zhang[msft]"" wrote:

Show quoteHide quote
> Hi Abel,
>
> 7) Launch mmc and add Certificate snap-in.
> 8) Go to console Root | Certificates | Personal | Certificates | All
> Tasks | Import the saved certificate file.
> 9) Go to console Root | Certificates | Trusted Root Certification |
> Certificates | All Tasks | Import the saved certificate file.
>
> Regarding to the above steps, I need to correct 1 point: when you
> attach the Certificates snap-in, please ensure you open the computer
> account's store to install the 2 certs first. Then please open
> Certificate snap-in again and select Service account->BizTalk,
> install the 2 cert into the BizTalk service account's Personal and
> Trusted stores.
>
> I found the error "[0x80090304] The Local Security Authority cannot
> be contacted" also can be caused by a corrupt private on the
> certificate. When you double-click the isntalled certificate in
> Personal store, will you see a 'You have a private key...' message?
>
> Thanks.
>
> Best regards,
>
> WenJun Zhang
> Microsoft Online Partner Support
>
> When responding to posts, please "Reply to Group" via your newsreader
> so that others may learn and benefit from your issue.
>
> =====================================================
>
> Business-Critical Phone Support (BCPS) provides you with technical
> phone support at no charge during critical LAN outages or "business
> down" situations. This benefit is available 24 hours a day, 7 days a
> week to all Microsoft technology partners in the United States and
> Canada.

> This and other support options are available here:
>
> BCPS:
> https://partner.microsoft.com/US/technicalsupport/supportoverview/4001
> 0469
> Others:
> https://partner.microsoft.com/US/technicalsupport/supportoverview/

> If you are outside the United States, please visit our International
> Support page: http://support.microsoft.com/common/international.aspx
>
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>

Author
21 Mar 2005 7:40 AM
WenJun Zhang[msft]
Hi Abel,

If the certificate you requested in step 2 does contain a 'You have a
private key that corresponds to this certificate.' message, then it's
not valid.

1) Install CA on a 2003 box and provide a CN.
2) On the 2003 box, go to http://localhost/certsrv/default.asp and
request a
Certificate.
3) On the BTS box, go to 
http://[2003boxservername]/certsrv/default.asp
4) There are four links under "Select a task:".  I click on the link
"Download a CA certificate, certificate chain, or CRL"
...

Since the certificate should be used by Biztalk box, the step 2)
should like:

2) On the BTS box, go to
http://[2003boxservername]/certsrv/default.asp and request a
Certificate.

You can choose to request a common 'Web Browser Certificate' since
the cert is used to identity the client(your Biztalk box) when
communicating with remote web server. Or choose 'submit an advanced
certificate request. ', the Type of Certificate should be 'Client
Authentication Certificate'. In Key Options, select 'Create new key
set'. Then submit  this request and on the 2003 box, open Certificate
Authority snap-in to issue this cert.

After you finish these steps in 2) and get the certificate on your
Biztalk box, double-click the certificate and you should see the 'You
have a private key that corresponds to this certificate.' message.
Now it can be installed into Computer account's and Biztalk service
account's Personal store.

Please check the above points. If you still meet difficulty to get it
work, I think requesting a support incident is a good idea. Anyway
always let me know if you need any help. Thanks.

Best regards,

WenJun Zhang
Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader
so that others may learn and benefit from your issue.

=====================================================

Business-Critical Phone Support (BCPS) provides you with technical
phone support at no charge during critical LAN outages or "business
down" situations. This benefit is available 24 hours a day, 7 days a
week to all Microsoft technology partners in the United States and
Canada.

This and other support options are available here:

BCPS:
https://partner.microsoft.com/US/technicalsupport/supportoverview/4001
0469
Others:
https://partner.microsoft.com/US/technicalsupport/supportoverview/

If you are outside the United States, please visit our International
Support page: http://support.microsoft.com/common/international.aspx

=====================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.



Post Other interesting topics
Change in ASP.Net authentication between Win2000 and Win2003