Since the website it wasn't accessible on the HTTPS protocol and everything seems ok at the IIS level, I suspected there was something which it can be fixed with the netsh command.
The first thing to do was to list the SSL server certificate bindings:
netsh http show sslcert
As I expected, there was nothing shown. To "add a new SSL server certificate binding and corresponding client certificate policies for an IP address and port" (from help), netsh can be used with some basic parameters: ipport, certhash and appid.
The certhash value can be read either from ISS Manager (Manage server\Server Certificates, select a certificate, click View in the right menu, Details\Thumbprint, copy the value somewhere and replace the blanks between the groups), either using the following command:
certutil -store MY
which outputs:
Serial Number: 59e762ee4c6bda874fed1c915d26e521
Issuer: CN=adi-PC
NotBefore: 21.07.2011 2:16
NotAfter: 21.07.2012 3:00
Subject: CN=adi-PC
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): dc ab 84 55 bf 75 5c ad a4 b9 1d a6 64 45 68 b3 11 69 f0 20
Key Container = ea4cc866-f5b9-4737-a18e-1724e02961ba
Unique container name: 0e2c5f1fd1fe7a2461b77daf1973b1cb_d924ef92-4440-4132-82f8-cc223fca6bb8
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
CertUtil: -store command completed successfully.
The appid is any valid Guid surrounded with {}. I used PowerShell to create a new one, though I could get the "Key Container" value.
The command looks like:
netsh http add sslcert ipport=0.0.0.0:443 certhash=dcab8455bf755cada4b91da6644568
b31169f020 appid={ea4cc866-f5b9-4737-a18e-1724e02961ba}
The output of "netsh http show sslcert" is now:
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : dcab8455bf755cada4b91da6644568b31169f020
Application ID : {ea4cc866-f5b9-4737-a18e-1724e02961ba}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
The ERR_CONNECTION_RESET error disappeared :)
Note: I don't do this kind of things day by day, after all, I'm only a developer. This was not a simple thing for me to do, actually it took about two hours of google-ing, this when netsh wasn't a new thing to me, a bit frustrating. But how I can test the 3D Secure integration on an eshop when my SSL is down? Can't! So I needed to have it working.
0 comentarii:
Trimiteţi un comentariu