IIS Question

asked 2021-04-16T18:49:42.247+00:00
det103 81 Reputation points

Hello:

we are working with a thirdparty vendor who uses IIS with SSL. when we tried to browse the site example below
https://FQDN of server/vendor
then we get below error
Provided certificate is not valid for encryption/decryption. There may be insufficient permissions to its private key in the windows certificate store or the certificate itself may not have the correct purposes. If you only want to use it for signing, set the Use property to Signing (CertificateUse.Signing).
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. we also tried giving access to application pool and network service to private key but did not resolve the issue

we tried changing our pki template with different options on certificate about encryption but we were not able to resolve the issue. Also default ssl site works fine.

any thoughts
thanks

Internet Information Services
No comments
{count} votes

3 answers

Sort by: Most helpful
  1. answered 2021-04-16T19:04:29.297+00:00
    Michael Taylor 37,326 Reputation points

    Sounds like the certificate they are using for SSL is invalid. It is possible they gave you a self-signed cert which isn't going to work for a hosted site. Or the cert they created wasn't created to support SSL. You need to go back to the vendor and ask them to create a valid SSL cert and associate it with their site. Certs are normally created by a certificate authority like Verisign or the like. For testing purposes you can generate a free cert using something like openssl but you wouldn't want to go live with that kind of cert.

    You said the default SSL site works but are you using the same SSL cert for both the default site and whatever this vendor site is? Note that for internal testing you could also use your companies SSL cert (if you have one) provided the SSL cert is a wildcard cert (e.g. *.mycompany.org) and the site you're trying to host is a subdomain (e.g. myapp.mycompany.org).

    Also note that when you create an SSL cert you generally specify the domain name (or perhaps a wildcard). If the actual host name used by the IIS site doesn't match the SSL cert then it'll trigger at least a warning in the browser.

    No comments

  2. answered 2021-04-16T19:12:04.967+00:00
    det103 81 Reputation points

    AS i mentioned earlier, i have tried changing cert properties around encryption but there was no success. So cert is valid because i can browse default website fine. also i am using internal PKI and the cert chain is validated on the server

    No comments

  3. answered 2021-04-17T17:03:05.917+00:00
    Alberto Poblacion 1,531 Reputation points

    This may be a clue:
    "There may be insufficient permissions to its private key in the windows certificate store"

    Find out what is the account under which the application pool is executing, and then go to the MMC Certificate applet, find your certificate, and use the context menu option "All tasks -> Manage private keys" to verify that the account does indeed have permission to read the certificate. If it doesn't, you can grant it from there.

    No comments