question

PedrodaCosta-6548 avatar image
0 Votes"
PedrodaCosta-6548 asked PedrodaCosta-6548 answered

Windows 10 H2 prof. Self signed certificate error 1312

I am trying ti write a service that answers on https requests and process it.
For test purposes a generated a selfsignd ssl certificate with makecert and openssl and add it to the root and personal certificat.

In both cases, when i try

 netsh http add sslcert ipport=0.0.0.0:8180 certhash=99858B7A5DF30E700653E7A832F21AB68722C93F appid={82f96a4e-ad9c-4448-9f69-e9e9150c661e}

i get error 1312 ssl certificate can't be added

I checked in the personal certificate folder of local machine as in trusted root certificate, all certificate are present and valid

makecert

 makecert -sky exchange -r -n "CN=SRRootCert,OU=myprog,O=company,L=city,S=NRW,C=DE" -pe -b 01/01/2021 -e 12/31/2031 -a sha256 -len 2048 -sv D:\Zertifikate\SRRootCA.pvk -ss SRCertStore D:\Zertifikate\SRRootCA.cer
    
 makecert -sk SRRootCert -iv D:\Zertifikate\SRRootCA.pvk -n "CN=SRServ" -a sha256 -len 2048 -ic D:\Zertifikate\SRRootCA.cer D:\Zertifikate\SRService.cer -sr localmachine -ss SRCertStore
    
    
 POWERSHELL Import-Certificate -FilePath "D:\Zertifikate\SRRootCA.cer" -CertStoreLocation Cert:\LocalMachine\Root
 POWERSHELL Import-Certificate -FilePath "D:\Zertifikate\SRService.cer" -CertStoreLocation Cert:\LocalMachine\My
    
    
 netsh http add sslcert ipport=0.0.0.0:8180 certhash=99858B7A5DF30E700653E7A832F21AB68722C93F appid={aaaaaa-aaaaaa-aaaa-aaaa-aaaaaaaaa}

And my try with openssl-

 openssl genrsa -des3 -out D:\Zertifikate\ServicerootCA.key 2048
 openssl req -x509 -new -nodes -key D:\Zertifikate\ServicerootCA.key -sha256 -days 4096 -out D:\Zertifikate\ServicerootCA.crt
    
    
 openssl genrsa -out D:\Zertifikate\SRClient.key 2048
    
 openssl req -new -sha256 -key D:\Zertifikate\SRClient.key -subj "/C=DE/ST=NRW/O=company/Lcity/CN=eService" -out D:\Zertifikate\SRClient.csr
    
 openssl req -in D:\Zertifikate\SRClient.csr -noout -text
    
 openssl x509 -req -in D:\Zertifikate\SRClient.csr -CA D:\Zertifikate\ServicerootCA.crt -CAkey D:\Zertifikate\ServicerootCA.key -CAcreateserial -out D:\Zertifikate\SRConnectClient.crt -days 4096 -sha256
    
 openssl x509 -in D:\Zertifikate\SRClient.crt -text -noout
    
 POWERSHELL Import-Certificate -FilePath "D:\Zertifikate\EServicerootCA.crt" -CertStoreLocation Cert:\LocalMachine\Root
 POWERSHELL Import-Certificate -FilePath "D:\Zertifikate\SRClient.crt" -CertStoreLocation Cert:\LocalMachine\My

and then

 netsh http add sslcert ipport=0.0.0.0:8180 certhash=99858B7A5DF30E700653E7A832F21AB68722C93F appid={aaaaaa-aaaaaa-aaaa-aaaa-aaaaaaaaa}


Every step is tested and runs without error, files a re created checks run and finally add to the cetificat storage, but but produce an error.

To test netsh http add sslcert, i bond another certificat that was made for us by a "official" CA and it runs.

So nothing basically is wrong with the final step, but i can't figure out why it will not accept the self signed certifucates, which
which are as shown in the image registered and valid.

I also added the certificates with the mmc only to see if it makes any difference, which it didn't .

And in added the certificate, to the personal folder

73389-services.png






not-supported
services.png (6.7 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @PedrodaCosta-6548,
The windows-forms tag is discussing and asking questions about the Windows Forms such as Winforms controls, libraries, samples, publication and installation.
The supported products are listed over here (more to be added later on).
Thank you for your understanding.
Best Regards,
Daniel Zhang


0 Votes 0 ·

thakk you, i couldn't find a tag, as i am writing an windows forms, i put in there.

0 Votes 0 ·

1 Answer

PedrodaCosta-6548 avatar image
0 Votes"
PedrodaCosta-6548 answered

The basic problem is that the generated ssl key, includes only the public key, but to work as a server you need both

As a solution generate a pkcs12 and use that to add the clientg certificate

 "D:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -nodes -out D:\Zertifikate\SRClient.pfx -inkey D:\Zertifikate\SRClient.key -in D:\Zertifikate\SRClient.crt -certfile D:\Zertifikate\EServicerootCA.crt -passout pass:


After importing the new generated key the httplistener works after

  netsh http add sslcert ipport=0.0.0.0:8180 certhash=99858B7A5DF30E700653E7A832F21AB68722C93F appid={aaaaaa-aaaaaa-aaaa-aaaa-aaaaaaaaa}
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.