Friday, January 11, 2008

SSL cannot find private key

ISSUE
Last week I generated a certificate request in IIS and requested an SSL certificate. Today I tried to install the recieved certificate, but after "Processing the request" the certificate was damaged. I was able to locate it in the Certificates MMC, but while trying to export the certificate the wizard came with the message "A private key cannot be found".
When I tried to apply the certificate to a IIS web site, the web site couldn't be reached using https. No error messages were reported.

TROUBLESHOOTING STEPS
I found the Microsoft SSL Diag tool on the Microsoft site and used this tool to troubleshoot. It came back with the error ""You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed"".

CAUSE
The above issue was caused by the fact that permissions on files in the following directory were incorrect:C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeysThis directory contains files with the server's private keys. Due to the incorrect permissions, was the server unable to read the certificate private keys.

RESOLUTION
I reapplied the security settings of the directory to all files by opening the properties of the directory, select the security tab, click the Advanced button, select the "Replace permission entries on all child objects with entries show here that apply to child objects" and click OK.
The server was now able to read the private key files and therefore able to use the certificate.