locked
CTL in UAG/IIS 7.5 RRS feed

Answers

  • It looks like may be cross certification is a way forward since Windows 2008 R2 underlying architecture has changed whicxh doesnt allow IIS 7.5 to generate CTL's as you used to do on IIS6.

    http://technet.microsoft.com/en-us/library/cc787237(WS.10).aspx 

    However the functionality still exists in Windows Server 2008 R2 to import a CTL to a HTTP Endpoint and Microsoft released a fix to do this. 981506 "SSL Certificate add failed, Error: 1312" error message when you try to add a CTL in Windows Server 2008 R2 or in Windows 7 http://support.microsoft.com/default.aspx?scid=kb;EN-US;981506 .

    So the current recommendation for Windows Server 2008 R2 would be to use MakeCTL.exe on a Windows 2003 or Windows Server 2008 server and then import the CTL into the Windows Server 2008 R2 machine. http://viisual.net/configuration/IIS7-CTLs.htm has more on these steps. MakeCTL.exe will not work on Windows Server 2008 R2 as it cannot enumerate the list of Certificate Authorities.
        

     Here are the steps to create and move over the CTL if needed.

    1) On the machine you are using to Generate the CTL run MakeCTl.exe as discussed on http://viisual.net/Configuration/IIS7-CTLs.htm

    2) At the stage where you would save it to the Certificate Store we will save it to a file.

     3) In the Certificate Trust List Storage window, select File and click the Browse button.

    4) Then save the file as a .stl file.

    5) Move to the R2 server.

    6) Start the CertMgr.msc tool and point it to the Local Computer Store.

    7) Navigate to the Intermediate Certification Authorities location.

    8) Right click and choose import .

    9) Browse to the .stl file.

    10) You should see that this file is imported and that the Certificate Trust Lists has been created.


    Faisal :>
    Monday, November 8, 2010 3:52 PM

All replies

  • It looks like may be cross certification is a way forward since Windows 2008 R2 underlying architecture has changed whicxh doesnt allow IIS 7.5 to generate CTL's as you used to do on IIS6.

    http://technet.microsoft.com/en-us/library/cc787237(WS.10).aspx 

    However the functionality still exists in Windows Server 2008 R2 to import a CTL to a HTTP Endpoint and Microsoft released a fix to do this. 981506 "SSL Certificate add failed, Error: 1312" error message when you try to add a CTL in Windows Server 2008 R2 or in Windows 7 http://support.microsoft.com/default.aspx?scid=kb;EN-US;981506 .

    So the current recommendation for Windows Server 2008 R2 would be to use MakeCTL.exe on a Windows 2003 or Windows Server 2008 server and then import the CTL into the Windows Server 2008 R2 machine. http://viisual.net/configuration/IIS7-CTLs.htm has more on these steps. MakeCTL.exe will not work on Windows Server 2008 R2 as it cannot enumerate the list of Certificate Authorities.
        

     Here are the steps to create and move over the CTL if needed.

    1) On the machine you are using to Generate the CTL run MakeCTl.exe as discussed on http://viisual.net/Configuration/IIS7-CTLs.htm

    2) At the stage where you would save it to the Certificate Store we will save it to a file.

     3) In the Certificate Trust List Storage window, select File and click the Browse button.

    4) Then save the file as a .stl file.

    5) Move to the R2 server.

    6) Start the CertMgr.msc tool and point it to the Local Computer Store.

    7) Navigate to the Intermediate Certification Authorities location.

    8) Right click and choose import .

    9) Browse to the .stl file.

    10) You should see that this file is imported and that the Certificate Trust Lists has been created.


    Faisal :>
    Monday, November 8, 2010 3:52 PM
  • I tried this and can't get the hotfix at http://support.microsoft.com/kb/981506 to install.  It tells me it's not the right one for my OS, even though I navigated there on that OS and it auto-chooses Windows Server 2008 R2 64-bit for me, and that's what downloads.  Any ideas on this?
    Thursday, April 21, 2011 5:29 PM
  • Same problem here as Gemini - still getting "SSL Certificate add failed, Error: 1312" error message when you try to add the cert to a specific port. Running on Windows 7. I beleive KB981506 isn't being allowed to load since looking at the files involved I already have more recent versions of these files.

    So I tried using makecert on an older XP SP3 box and tried loading in on the Windows 7 and still get the darn SSL error msg.

    Anyone else get a more recent process/hotfix that works?

    thx

    Thursday, May 19, 2011 4:41 AM
  • did you try this wiki ?

    http://social.technet.microsoft.com/wiki/contents/articles/how-to-create-a-certificate-trust-list-in-w2k8-r2-for-use-with-unified-access-gateway.aspx 

     

    for hotifx , I think you need to contact microsoft support . this is a Windows hotfix and windows support would a best place to escalate this request.


    Faisal :>
    Thursday, May 19, 2011 10:43 AM
  • As of June 20, 2011, the "Error:1312" message (and problem) seems to be gone.  I tried running the hotfix on a 2K8 R2 server with SP1 (and other fixes since SP1) and the hotfix wouldn't install, saying it wasn't applicable.  So I just followed the steps in http://viisual.net/Configuration/IIS7-CTLs.htm as is, directly on the R2 (IIS 7.5) machine.  It worked perfectly.
    • Proposed as answer by Ran [MSFT] Wednesday, June 22, 2011 4:28 PM
    Tuesday, June 21, 2011 9:12 PM