IIS Question

det103 81 Reputation points
2021-04-16T18:49:42.247+00:00

Hello:

we are working with a thirdparty vendor who uses IIS with SSL. when we tried to browse the site example below
https://FQDN of server/vendor
then we get below error
Provided certificate is not valid for encryption/decryption. There may be insufficient permissions to its private key in the windows certificate store or the certificate itself may not have the correct purposes. If you only want to use it for signing, set the Use property to Signing (CertificateUse.Signing).
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. we also tried giving access to application pool and network service to private key but did not resolve the issue

we tried changing our pki template with different options on certificate about encryption but we were not able to resolve the issue. Also default ssl site works fine.

any thoughts
thanks

Internet Information Services
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michael Taylor 47,966 Reputation points
    2021-04-16T19:04:29.297+00:00

    Sounds like the certificate they are using for SSL is invalid. It is possible they gave you a self-signed cert which isn't going to work for a hosted site. Or the cert they created wasn't created to support SSL. You need to go back to the vendor and ask them to create a valid SSL cert and associate it with their site. Certs are normally created by a certificate authority like Verisign or the like. For testing purposes you can generate a free cert using something like openssl but you wouldn't want to go live with that kind of cert.

    You said the default SSL site works but are you using the same SSL cert for both the default site and whatever this vendor site is? Note that for internal testing you could also use your companies SSL cert (if you have one) provided the SSL cert is a wildcard cert (e.g. *.mycompany.org) and the site you're trying to host is a subdomain (e.g. myapp.mycompany.org).

    Also note that when you create an SSL cert you generally specify the domain name (or perhaps a wildcard). If the actual host name used by the IIS site doesn't match the SSL cert then it'll trigger at least a warning in the browser.

    0 comments
  2. det103 81 Reputation points
    2021-04-16T19:12:04.967+00:00

    AS i mentioned earlier, i have tried changing cert properties around encryption but there was no success. So cert is valid because i can browse default website fine. also i am using internal PKI and the cert chain is validated on the server

    0 comments
  3. Alberto Poblacion 1,556 Reputation points
    2021-04-17T17:03:05.917+00:00

    This may be a clue:
    "There may be insufficient permissions to its private key in the windows certificate store"

    Find out what is the account under which the application pool is executing, and then go to the MMC Certificate applet, find your certificate, and use the context menu option "All tasks -> Manage private keys" to verify that the account does indeed have permission to read the certificate. If it doesn't, you can grant it from there.

    0 comments