堆栈内存溢出
  简体   繁体   English

证书信任列表和IIS7

[英]Certificate Trust Lists and IIS7

 原文  2008-11-28 14:03:18       iis-7/ ssl/ ctl

问题描述

I need to generate a CTL for use with IIS7. 我需要生成一个用于IIS7的CTL。

I generated a CTL file using MakeCTL (on Win2k3 SDK) and put only my own RootCA certificate in the CTL. 我使用MakeCTL(在Win2k3 SDK上)生成了一个CTL文件,并在CTL中只放置了我自己的RootCA证书。

However, when I then use adsutil.vbs to set my website to use this CTL, I get: 但是,当我然后使用adsutil.vbs将我的网站设置为使用此CTL时,我得到:

ErrNumber: -2147023584 (0x80070520) Error Trying To SET the Property: SslCtlIdentifier ErrNumber:-2147023584(0x80070520)尝试设置属性时出错:SslCtlIdentifier

I'm using adsutil.vbs like this: 我正在使用adsutil.vbs这样:

cscript adsutil.vbs set w3svc/2/SslCtlIdentifier where is the friendly name of the CTL cscript adsutil.vbs设置w3svc / 2 / SslCtlIdentifier,其中是CTL的友好名称

The problem is, I am not able to set a friendly name. 问题是,我无法设置友好名称。 At the end of the wizard it says "Friendly Name: ". 在向导结束时,它显示“友好名称:”。

In IIS6 I can create a CTL with a friendly name (showing in Certificates MMC) but if I export it from there, when I import it, it no longer has a friendly name. 在IIS6中,我可以创建一个具有友好名称的CTL(显示在证书MMC中)但是如果我从那里导出它,当我导入它时,它不再具有友好名称。

Can anyone show me how to do it please? 谁能告诉我怎么做呢?

3 个解决方案

解决方案1
 3  2010-02-05 00:34:06

This should work on IIS 7.0 but probably not on IIS 7.5. 这应该适用于IIS 7.0,但可能不适用于IIS 7.5。
Let us know if this page is helpful please - http://www.rethinker.net/Blog/Post/14/How-to-Create-and-Use-a-CTL-for-IIS-7-0 如果此页面有用,请告诉我们 - http://www.rethinker.net/Blog/Post/14/How-to-Create-and-Use-a-CTL-for-IIS-7-0

解决方案2
 2  2008-12-05 16:52:50

I'm experiencing exactly the same problem and am having the same trouble finding an answer. 我遇到了完全相同的问题,并且遇到了同样的问题。

There appears to be no documented way to create a friendly name for Certificate Trust Lists using MakeCTL. 似乎没有记录的方法来使用MakeCTL为证书信任列表创建友好名称。 And the only documented way to add a CTL to IIS7 uses the adsutil script Neil references above, yet it requires a friendly name. 向IIS7添加CTL的唯一记录方法是使用上面的adsutil脚本Neil引用,但它需要一个友好的名称。 I assume we could dig into a programatic way to do this but I'm not looking to get that deep. 我假设我们可以采用一种程序化的方式来做到这一点,但我并不希望能够做到这一点。

The core of this problem is that IIS7 seems to have lost favor for CTL's, else it would have some UI support for them. 这个问题的核心是IIS7似乎已经失去了对CTL的青睐,否则它会为它们提供一些UI支持。 Are people using some alternative to CTL's in combination with Client Side Certificates? 人们是否将CTL的替代品与客户端证书结合使用?

I find it odd this isn't a bigger problem for IIS7. 我觉得奇怪,这对IIS7来说不是一个更大的问题。

Update: I finally came back to this and have figured out the Friendly Name issue. 更新:我终于回到了这一点并找出了友好名称问题。 To get a friendly name assigned you must store the CTL in the Certificate Store rather than to a file (I had always used the file approach previously). 要获得分配的友好名称,您必须将CTL存储在证书存储中而不是存储到文件中(我以前一直使用文件方法)。 So, using MakeCTL in the wizard mode (no arguments) and choosing to 'Certificate Store' on the 'Certificate Trust List Storage' page results in a new page that let's you specify a Friendly Name. 因此,在向导模式下使用MakeCTL(无参数)并在“证书信任列表存储”页面上选择“证书存储”会生成一个新页面,让您指定友好名称。

So I now have a CTL in the 'Intermediate Certification Authorities' certificate store of LocalMachine. 所以我现在在LocalMachine的“中级证书颁发机构”证书商店中有一个CTL。 Now I am trying to use 'netsh http add sslcert' to assign the CTL to my site. 现在我尝试使用'netsh http add sslcert'将CTL分配给我的网站。

Before I could use this command I had to remove the existing SSL cert that was assigned to my site for server authentication. 在我可以使用此命令之前,我必须删除分配给我的站点以进行服务器身份验证的现有SSL证书。 Then in my netsh command I specify the thumbprint of that very same SSL cert I removed, plus a made up appid, plus 'sslctlidentifier=MyCTL sslctlstorename=CA'. 然后在我的netsh命令中,我指定了我删除的相同SSL证书的指纹,以及一个编写的appid,加上'sslctlidentifier = MyCTL sslctlstorename = CA'。 The resulting command is: 结果命令是:

netsh http add sslcert ipport=10.10.10.10:443 certhash=adfdffa988bb50736b8e58a54c1eac26ed005050 appid={ffc3e181-e14b-4a21-b022-59fc669b09ff} sslctlidentifier=MyCTL sslctlstorename=CA netsh http add sslcert ipport = 10.10.10.10:443 certhash = adfdffa988bb50736b8e58a54c1eac26ed005050 appid = {ffc3e181-e14b-4a21-b022-59fc669b09ff} sslctlidentifier = MyCTL sslctlstorename = CA

(the IP addr is munged), but I am getting this error: (IP地址是munged),但我收到此错误:

SSL Certificate add failed, Error: 1312 A specified logon session does not exist. SSL证书添加失败,错误:1312指定的登录会话不存在。 It may already have been terminated. 它可能已经被终止了。

I am sure the error is related to the CTL options because if I remove them it works (though no CTL is assigned of course). 我确定错误与CTL选项有关,因为如果我删除它们就可以了(虽然当然没有分配CTL)。

Can anyone help me take this last step and make this work? 任何人都可以帮助我采取最后一步并使这项工作?

UPDATE 01-07-2010: I never resolved this with IIS 7.0 and have since migrated our app to IIS 7.5 and am giving this another try. 更新01-07-2010:我从来没有用IIS 7.0解决这个问题,并且已经将我们的应用程序迁移到IIS 7.5并且正在进行另一次尝试。 I installed IIS6 Compatibility on my test server and tried the steps documented here using adsutil.vbs. 我在测试服务器上安装了IIS6兼容性,并使用adsutil.vbs尝试了此处记录的步骤。 I immediately ran into this same error that Niel did above: 我立刻遇到了Niel上面做的同样的错误:

ErrNumber: -2147023584 Error trying to SET the Property: SslCtlIdentifier ErrNumber:-2147023584尝试设置属性时出错:SslCtlIdentifier

when running this command: 运行此命令时:

adsutil.vbs set w3svc/1/SslCtlIdentifier MyFriendlyName adsutil.vbs设置w3svc / 1 / SslCtlIdentifier MyFriendlyName

I then went on to try the next adsutil.vbs command documented and it failed with the same error. 然后我继续尝试记录下一个adsutil.vbs命令,它失败并出现同样的错误。

I have verified that the CTL I created has a Friendly Name of MyFriendlyName and that it exists in the 'Intermediate Certification Authorities\\Certificate Trust List' store of LocalComputer. 我已经验证我创建的CTL具有MyFriendlyName的友好名称,并且它存在于LocalComputer的“中间证书颁发机构\\证书信任列表”存储中。

So once again I am at a dead standstill. 所以我再一次陷入停滞状态。 I don't know what else to try. 我不知道还有什么可以尝试的。 Has anyone ever gotten CTL's to work with IIS7 or 7.5? 有没有人得到CTL与IIS7或7.5一起工作? Ever? 自从? Am I beating a DEAD horse. 我打败了一匹死马。 Google turns up nothing but my own posts and other similar stories. 除了我自己的帖子和其他类似的故事,谷歌只会出现。

Update 6/08/10 - I can now confirm that KB981506 resolves this issue. 更新6/08/10 - 我现在可以确认KB981506可以解决此问题。 There is a patch associated with this KB that must be applied to Server 2008 R2 machines to enable this functionality. 有一个与此KB关联的修补程序必须应用于Server 2008 R2计算机才能启用此功能。 Once that is installed all works flawlessly for me. 一旦安装完毕,所有工作都能完美无缺地为我服务。

解决方案3
 1  2014-12-08 17:03:07

The question is about IIS7, but for anyone looking for this information - from IIS8 you no longer need to use CTLs, but rather use "Client Authentication Issuers" in the certificate store. 问题是关于IIS7,但对于任何寻找此信息的人 - 从IIS8,您不再需要使用CTL,而是使用证书存储中的“客户端身份验证发布者”。

This is documented in more detail: http://technet.microsoft.com/en-us/library/hh831771.aspx 更详细地记录了这一点: http//technet.microsoft.com/en-us/library/hh831771.aspx

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用哪个证书连接到受保护的IIS7网站? - Which certificate to use to connect to a secured IIS7 website? Powershell IIS7 Snap in将SSL证书分配给https绑定 - Powershell IIS7 Snap in Assign SSL certificate to https binding 如何续订iis7自签名证书 - How to renew an iis7 self signed ssl certificate IIS7:如何将 SSL 证书绑定到 Https 主机头? - IIS7: How to bind SSL Certificate to Https Host Header? 选择具有智能卡身份验证IIS7 Server 2008的证书 - Choose Certificate with Smart Card Authentication IIS7 Server 2008 如何从命令提示符向 IIS7 站点分配 SSL 证书 - How to assign a SSL Certificate to IIS7 Site from Command Prompt IIS7 LocalHost证书-删除IE8警告 - IIS7 LocalHost Certificate - Remove IE8 warning 自动化自签名证书IIS7(可能带有appcmd) - Automating Self Sign Certificate IIS7 (possibly with appcmd) 自签名证书IIS7 - 根据验证程序,远程证书无效 - Self signed certificate IIS7 - The remote certificate is invalid according to the validation procedure IIS7分析 - IIS7 Profiling
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM