BUG: SelfSSL allows only one website to have SSL at a time


About a month ago, I got the following question about SelfSSL ( http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en ).


Question:


I read a posting of yours that mentions the bug in SelfSSL where only the most recent site functions has been corrected. Is there an unofficial / support release available for this? If so, who should I contact / how should I proceed?

Thanks!


Answer:


Yes, the issue has been fixed in SelfSSL. Without going into too much detail, let me just say that it was a lot easier to release a toolkit like IIS Resource Toolkit two years ago versus the current set of requirements needed to be placed on Microsoft Download Center. Combined with the IIS team’s focus on the next release of IIS, it means that it will be a slow effort to maintain and refresh the right set of tools on a reasonable schedule.


For example:



  1. IIS Diagnostics Toolkit, which includes Auth Diagnostics, SSL Diagnostics, SMTP Diagnostics, and Log Parser, will be refreshed on a quarterly schedule ( http://www.microsoft.com/downloads/details.aspx?familyid=9bfa49bc-376b-4a54-95aa-73c9156706e7&displaylang=en ).
  2. Log Parser, included in the resource kit, has undergone steady improvements and is refreshed separately ( http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07&displaylang=en ).

I will certainly post a followup when we have SelfSSL and other popular IIS resource kit tools updated in a similar way as Log Parser and IIS Diagnostics Toolkit.


//David

Comments (25)

  1. Paul Carrig says:

    I read a post stating there was no workaround for the SelfSSL certificates only working for the last generated certificate (http://groups-beta.google.com/group/microsoft.public.inetserver.iis.security/browse_frm/thread/476598ea35f6f09a/5fc0a957c1c0f655?q=selfssl+multiple+known+issue&rnum=1&hl=en#5fc0a957c1c0f655).

    I recently encountered the issue and successfully implemented a workaround. Please let me know if I’ve missed something obvious here….

    1 – create certificate for site 1

    2 – export the certificate to a pfx file (IIS->directory security->server certificate wizard)

    3 – create certificate for site 2. First site’s certificate should no longer work

    4 – remove certificate from site 1

    5 – import pfx from step 2 using same wizard

    SSL on both sites should now work!

    As I’ve not seen the workaround posted elsewhere, I’m sharing it the hope of it making it easier for others encountering the same issue….

  2. SelfSSL is a tool found in the IIS 6.0 Resource Kit. It allows you to generate SSL certificates…

  3. Arjan says:

    David,

    I just downloaded and installed the latest IIS Resource Toolkit with a modify date of 20 januari 2006. But the bug in SelfSSL is still there. Can you tell me where I can find the right version of SelfSSL without the BUG.

    Kind Regards,

    Arjan.

  4. David Wang says:

    Arjan – IIS Resource Toolkit cannot be updated, so this bug in SelfSSL will be there forever.

    I suggest download the IIS Diagnostics Toolkit which has SelfSSL with updates integrated into the SSL Diagnostics commandline.

    http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx

    //David

  5. Mark Minasi says:

    Hey David —

    I’ve found SelfSSL helpful and tell many people about it.  I didn’t know about the bug or the fix, so here’s just a note to say thanks!

    Mark Minasi

  6. David.Wang says:

    Mark – you’re welcome!

    You won’t hit the bug until you try to enable SSL on >1 websites on the IIS server… but that has been fixed and incorporated into SSLDiag 1.1, a part of IIS Diagnostics Toolkit

    http://www.microsoft.com/windowsserver2003/iis/diagnostictools/default.mspx

    //David

  7. Stuart says:

    David,

    We are trying to get a Paml Treo 700W to go on our exchange server, and I need to export the public certificate AND the publisher’s certificate to the Palm to get this to work. I can easily get the public and private cert, but would you know how I could get the publisher’s cert from a previous SelfSSL run?

    Perhaps this post that I found will explain what I need more clearly:

    ————————————————————-

    So, there has been a decent amount of rumblings about the new Palm Treo 700w from Verizon Wireless (running Windows Mobile 5.0) – and it’s apparent inability to sync with SBS.

    Sean has a good post outlining how Windows Mobile 5.0 has changed how it handles certificates.  The good news is that if you’re using self-signed certificates with your SBS, you can get your Treo 700w to sync wirelessly with your Exchange server.  As proof, I just did this myself – configured a new 700w for one of our internal users to sync with our SBS, and we’re using a self-signed certificate.

    The trick is to install both your self-signed certificate ( \<your_sbsClientAppsSBSCert ) AND your CA certificate (publishing.company.local –  check out  CertEnroll">\<your_sbs>CertEnroll ).  Copy these two .cer files to your device using ActiveSync.  Then on your device, use FileExplorer to browse to the folder where you copied the certs, and double-click to install each.  Voila!  You’re good to go . . .

    Now, there has been some talk that WM5 doesn’t trust as many Certification Authorities (CAs) as regular ol’ Windows.  As a result, if you have purchased an SSL cert from a CA, there is a chance that CA may not be trusted by WM5.  In that case, you’re not going to be able to sync with your Exchange, since you won’t have access to the CA cert to manually install it on your WM5 device.  However, you could always convert to a self-signed cert and get it to work that way.

    From:

    http://msmvps.com/blogs/cgross/archive/2006/01/19/81475.aspx

    Thanks,

    Stu

  8. David.Wang says:

    Stuart – On the server that ran selfssl, you should find the self-signed certificate used by the server for SSL under "Personal Certificates" for "Local Computer" and the CA cert which signed the self-signed certificate under "Trusted Root" for "Local Computer".

    I do not see why one needs to install the self-signed certificate (this belongs to the server and is sent to the client during SSL handshake) onto the mobile device. You only need to install the self-signed certificate into the Trusted Root on the mobile device to allow it to trust the self-signed certificate when it communicates with the server over SSL.

    //David

  9. In development and test, you often need to configure a site (or a portion of a site) to run under…

  10. Ilia Broudno says:

    I was wondering if you could provide some incite into the nature of that bug.

    We have a very similar sounding problem on production with real certs from trusted providers.

    A second question: I tried using the SSLDiag and it worked – the bug in question did not come up.

    But the certs it creates are only valid for 2 weeks and have the same CN.

    What I was hopping to get are 2 certs with different names valid for a couple of years.

    Is there anything I can do to tweak either what selfSSL or SSLDiag does to get what I want?

  11. Tray_Harrison says:

    I have the same question as Ilia.  SSL Diag did fix the issues I was having with tryin to run to SelfSSL certs on the same server.  The problem is I can’t find a way to configure the certificate validity length with SSL diag.  I really don’t want to have to go in and renew the certs on our test sites every 2 weeks.  Is there a way to configure this?

  12. Snorre Garmann says:

    You can run ssldiag from commandline the same way as selfssl:

    ssldiag /selfssl /V:365 /N:CN=myserverdnsrecord /S:123455646

    The only feature I cannot figure out how to fix is the /T:

  13. Matthew Bauer says:

    Paul – thanks for the fix – it works for me.

  14. Eila says:

    How can i retrieve the self signed certificate hash using c/c++

    thanks,

    Eila

  15. Javier says:

    Thank you!!!

    Three years later and still helpful.

  16. David Liu says:

    Thanks. This blog helped to resolve my issue with selfSSL.

  17. Ramesh says:

    I had error "The issuer of the token is not a trusted issuer" selfssl to sharepoint 2010

  18. Manash Das says:

    I followed I recently encountered the issue and successfully implemented a workaround. Please let me know if I've missed something obvious here….

    1 – create certificate for site 1

    2 – export the certificate to a pfx file (IIS->directory security->server certificate wizard)

    3 – create certificate for site 2. First site's certificate should no longer work

    4 – remove certificate from site 1

    5 – import pfx from step 2 using same wizard

    but not worked for me with same ip, same port & different domain rule. Please help.

Skip to main content