How to Create Private Key & CSR Using IIS server

Problem :  Sometimes we get a CSR from the user to create the SSL certificate but we dont have access to IIS to install the certificate back to that IIS and we need the SSL in PFX\P12 format as well.

Resolution : 

When Ever you create a CSR (Certificate Signing Request) a Private Key is also create in the background. This Private key is used to Install the certificate back to IIS , when you receive the certificate in .CER format against that CSR file. This Primary Key resides only on the server from where the CSR file was created and is never shared by anybody. 

Suppose you dont have access to IIS to install the CER file and need a PFX certificate to install that SSL on other server as well. In that case following steps needs to taken.

Backup Your Private Key : 

To backup a private key on Microsoft IIS 6.0\7.5\8.5  follow these instructions:

1. From your server, go to Start > Run and enter mmc in the text box. Click on the OK button.
2. From the Microsoft Management Console (MMC) menu bar, select Console > Add/Remove Snap-in.
3. Click on the Add button. Select Certificates from the list of snap-ins and then click on the Add button.

4. Select the Computer account option. Click on the Next button.

5. Select the Local computer (the computer this console is running on) option. Click on the Finish button.
6. Click on the Close  button on the snap-in list window. Click on the OK button on the Add/Remove Snap-in window.
7. Click on Certificates from the left pane. Look for a folder called REQUEST or "Certificate Enrollment Request> Certificates

8. Select the private key that you wish to backup. Right click on the file and choose > All Tasks > Export 

9. The certificate export wizard will start, please click  Next  to continue. In the next window select Yes, export the private key and click Next 

10. Leave the default settings selected and click Next.

11. Set a password on the private key backup file and click  Next 
12.  Click on Browse and select a location where you want to save the private key Backup file to and then click Next  to continue. By default the file will be saved with a .pfx extension. 
13. Click  Finish, to complete the export process.

Convert the Private Key from PFX to RSA Private Key Format (.Key File)

The private key is backed up as a ‘.pfx’ file, which stands for Personal Information Exchange.

To convert it to RSA Private Key format supported by most of the servers\systems.

1. Download and install latest version of OpenSSL for windows from http://www.slproweb.com/products/Win32OpenSSL.html.

2. OpenSSL requires Visual C++ Redistributables which can be downloaded from 

https://www.microsoft.com/en-us/download/details.aspx?id=29

3. First Install the Visual C++ Redistributables and then Win32OpenSSL which you downloaded from Above Link.

4. Open command prompt a, navigate to C:\OpenSSL-Win32\bin>, and run the following commands.

Set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg 

5. First we will convert the Private key (Which we had backed up in .PFX format) to .PEM format using following command. 

openssl pkcs12 -in PrivateKeyFilename.pfx -nocerts -out key.pem

6. Now We Will convert that .PEM file to much awaited .KEY file using following command.

openssl rsa -in key.pem -out PrivateKeyFilename.key

Now you have both the fiels with you (. CER & .KEY ) which will be used to create the certificate in .PFX format which I will share in my next Blog.

Cheers!!!

ASP 500 Error with Code 0x800700aa While browsing a .asp page

Problem :

Some times you try to browse a simple ASP page (Legacy ASP) hosted on IIS 7.5 or IIS 8.5 and you run in to following Error : 

Detailed Error Information 
Module IsapiModule 
Notification ExecuteRequestHandler 
Handler ASPClassic 
Error Code 0x800700aa 
Requested URL http://localhost/New_Site/Default.asp 
Physical Path C:\inetpub\wwwroot\New_Site\Default.asp 
Logon Method Anonymous 
Logon User Anonymous

You try all the other options like Enabling 32 Bit, Changing AppPool Pipeline mode to Classic, installing .net framework 1.1 or 2.0 but it doesn't help. 

Diagnose the Problem : 

 To find the main reason of this problem you will need to run Process Monitor and filter the logs to see only ProcMon Logs related to w3Wp.exe. 

While digging the logs, you may find some logs similar to following : 

12:31:49.0797868 PM    w3wp.exe    8264    CreateFile    C:\Program Files\McAfee\VirusScan\scriptsn.dll    PATH NOT FOUND 

 

                                                                        OR

12:31:49.0797868 PM    w3wp.exe    8264    CreateFile    C:\Program Files\McAfee\VirusScan\scriptsn.dll    PATH NOT FOUND  

Now the question is, why an asp file request is calling a .dll file which is related to to McAfee AntiVirus program.

Some times , when McAfee is installed on your server or Updated , it add this DLL as part of there ScriptScan feature  to intercept the script calls before they are executed on following Regresty Key : 

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 
    (Default)    REG_SZ    C:\Program Files\McAfee\VirusScan\scriptsn.dll

In normal Conditions, this Registry Key (CLSID - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 ) points to VBScript.dll but here it is pointing to C:\Program Files\McAfee\VirusScan\scriptsn.dll. And this is the reason, ASP files are not being processed when requested.

Resolution : 

To Resolve this issue you need to perform following tasks : 

•  Open Registry Editor 
• Navigate to :   HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8} 
• Right Click and Select Permissions 
• Click Advanced 
• Click on the owner Tab 
•  In the “Change owner to ”  Administrators 
• Click Apply can click OK 
• The Select Administrators in the list of accounts under ” Groups or User names” 
• Click the “FULL Control” 
• Click Apply and OK 
• Now Double click on InprocServer32 and Modify its value as "C:Windows\system32\vbscript.dll".
• Click OK and come out or Registry settings.
• Recycle the application Pool serving your application or Reset IIS if necessary.

VOILAAAAAAA !!!!! It Works !!!!!!

Cheers!!!

Installing and Configuring .Net Framework 1.1 on Windows Server 2008 R2

Problem : 

Some times we need to install .Net Framework 1.1 on Windows Server 2008 R2 to run legacy applications on IIS 7.5 ( Such as ASP application). Microsoft does not provide .net framework v1.1 by default on Windows server 2008 R2. You need to install and configure it Manually.

Solution : 

Here are the steps to Successfully Install and Configure .Net Framework v1.1 on Windows Server 2008 R2.

Step 1: Install "IIS METABASE COMPATIBILITY" From Server Manager 

Click Start, and click Server Manager. Expand the treeview in Server Manager and click Manage Roles, and then Web Server (IIS). In the right-hand pane look for an option that says Add Role Services. This takes you to wizard where you can install "IIS Metabase Compatibility".

Step 2: Install .Net 1.1

• .Net Framework 1.1.
• .Net Framework 1.1 Service Pack 1
• ASP.Net Security Update for .Net Framework 1.1 Service Pack 1

You will get a Compatibility warning You can Easily Ignore that Warning and RUN the setup.

Step 3: Enable ASP.Net v1.1 ISAPI Extension

Now go to IIS Manager under Administrator Tools, and in the features view click on ISAPI and CGI Restrictions feature. In the actions pane click add.

Extension: C:\Windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
note: change drive if your system drive is not C:\
Description: ASP.NET v1.1

Alternatively the Same can be achieved by running following command 

running%windir%\Microsoft.NET\Framework\v1.1.4322\aspnet_regiis-enable

Step 4: Edit machine.config

.Net v1.1 will throw runtime exceptions if you have IIS configurations in the web.config files that are read by your .net v1.1 applications. To make it ignore IIS configuration sections  edit the machine.config in %windir%\Microsoft.NET\Framework\v1.1.4322\config\machine.config by adding the following section just above the bottom tag for the <configSections> element:

<section name="system.webServer" type="System.Configuration.IgnoreSectionHandler,
    System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</configSections>

Step 5: Configure the site to use v1.1 Application Pool

In IIS Manager, select the site that you want to run on .Net Framework 1.1,  Advanced Settings. Adjust the application pool to use ASP.NET 1.1 which will use .Net Framework 1.1.

NOTE :  You can also create your own Application pool with the name of your choice. Steps to create application pool in IIS 7.5 is given in my previous blog.

Step 6 (Very Important) : Now you Need Fix 64bit bug otherwise you will not be able to open the settings of your websites configured to use .net framework V1.1 in IIS 7.5. It will throw an exception.

The config for .net v1.1 does not exist for 64bit  operating systems so you need to copy it from the 32bit folder by doing the following.

• Create \Windows\Microsoft.net\Framework64\v1.1.4322\config
• Copy machine.config from \Windows\Microsoft.net\Framework\v1.1.4322\Config\

Now you are all set to use .net framework v1.1 in IIS 7.5

Cheers !!!!

Courtesy : https://community.rackspace.com/products/f/25/t/820 

How to add Application pool with .Net Framework 1.1 in IIS 7.5

Problem: 

IIS 7.5 on Windows Server 2008 R2 does not install .Net Framework 1.1 by default. You need to install it manually and register it.

When you open IIS Manager and go to Application pool , you see only one Application Pool named ASP.NET 1.1 configured with .Net Framework 1.1 available in Application pools List.

When you add a new Application pool and try to bind it with .Net Framework 1.1 , you dont find the version 1.1 in the Drop Down list in Basic Settings of that Application pool.

Solution : 

Method 1: 

To Add a new Application pool in IIS 7.5 with .Net Framework 1.1 you need to take Following steps 

1. Open Command Prompt with Administrator privilige (Run As Administrator)
2. Change the directory to C:\Windows\System32\Inetsrv :
3  Run following APPCMD command to create new Application pool with .Net Framework 1.1

appcmd add apppool /name:"NewPool" /managedRuntimeVersion:"v1.1"

After placing this command you will see a new Application pool in Application pool list
which will show .Net Framework 1.1 bound to it. Rest of the settings can be made via GUI.

Method 2 :

Run Following commands from C:\Windows\System32\Inetsrv :

appcmd add apppool /name:"NewPool" /managedRuntimeVersion:"v1.1"

appcmd set apppool /apppool.name:"NewPool" /enable32BitAppOnWin64:true

appcmd set apppool /apppool.name:"NewPool"/managedPipelineMode:"Classic"

appcmd set apppool /apppool.name:"NewPool" /autoStart:true

Cheers!!!!

How to enable Powershell 2.0 on Windows Server 2008 32 bit

Problem : 

If you are trying to search Powershell 2.0 on Windows Server 2008 32 bit , you will not be able to find it as it is not installed by default.

Solution : 

1. You need to install Powershell 2.0 on your machine from following MS link. Its basically an           update from Microsoft which installs and enables Powershell on Windows server 2008 (32 Bit).

https://www.microsoft.com/en-us/download/details.aspx?id=11829

Windows PowerShell 2.0 and WinRM 2.0 for Windows Server 2008 (KB968930)

 
   

2. Restart the computer.


Cheers!!!!