Today I will be discussing the very infamous error that is seen while adding a SSL binding in IIS 7 & higher. Below is a snapshot of the error message while trying to add the SSL binding in IIS.
Well, the error is definitely not descriptive enough, neither does it provide any vital information to troubleshoot the issue. However, if you look at the Event logs, you will find the clue and the reason why the error is seen.
Log Name: System Source: Schannel Date: 07-10-2012 02:13:15 Event ID: 36870 Task Category: None Level: Error Keywords: User: SYSTEM Computer: xxxxxxxxx Description: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.
Event message logged in the system event logs on failure.
The event logs should give you some clue regarding the problem. The primary reason for the above error is the problem in accessing the “Private Key” of the certificate due to a broken keyset.
For those who may not be following, Public Key Cryptography deals with “Public Key” & “Private Key”. The Public key is distributed to the clients, while only the Server has access to the Private key as it is used for decrypting the SSL Request. So “Private Key” is of utmost importance here.
There are few scenarios where we could see a problem accessing the “Private Key” of the SSL Cert. I will discuss a few in this article:
The most common scenario is when the users use the IIS MMC to import a certificate and they uncheck the option “Allow this certificate to be exported”. This results in a broken keyset and thus results in the problem.
There are 2 ways to fix this problem. Before we start off, delete/remove the existing certificate from the store.
If using IIS MMC to import the certificate, then ensure that the “Allow this certificate to be exported” is checked.
If making the private key exportable is not an option, then use the Certificates MMC to import the certificate. Please go through the following KB on how to import a certificate using the MMC: http://support.microsoft.com/kb/232137
Another reason which can result in a broken keyset is due to missing permissions on the MachineKeys folder. This is the location where all the private keys are stored. The folder path (IIS 7 & higher) is as shown below:
The default permissions on this folder are described in the following articles:
Firstly, delete/remove the broken certificate from the store. Ensure the permissions are as per the articles mentioned above. So we need to permissions to the Administrators and Everyone account. Do remember to select the
NOTE: There might be a possibility that the issue might be seen even after ensuring right permissions. In this case, use the procmon.exe tool and fix the access denied error on the specific file inside the machinekeys folder. You may also try giving the System account Full Permissions on the MachineKeys folder.
After giving the necessary permissions, re-import the certificate as described in SCENARIO 1.
There is another possibility, that the issue might occur even after ensuring the both mentioned above. I have observed this behavior typically on Windows Server 2008. This depends on the KeySpec property of the certificate.
The KeySpec property specifies whether the private key can be used for encryption, or signing, or both.
Remember the KeySpec attribute is specified while creating the Certificate Signing Request. This cannot be modified once the certificate has been issued. So remember to set the value appropriately.
Also compare the KeySpec with the Key Usage attribute and make sure that both match logically. For example, for a certificate whose KeySpec equals to AT_KEYEXCHANGE, the Key Usage should be XCN_NCRYPT_ALLOW_DECRYPT_FLAG | XCN_NCRYPT_ALLOW_KEY_AGREEMENT_FLAG.
The permitted uses are not defined.
The key can be used to decrypt content. This maps to the following X509KeyUsageFlags values:
The key can be used for signing. This maps to the following X509KeyUsageFlags values:
The key can be used to establish key agreement between entities.
All of the uses defined for this enumeration are permitted.
For further read on KeyUsage refer the below 2 links: