What a crazy summer.  No OW blogs for over 3 months.  Time to break the drought.  I was studying today for one of those certification test things and ran across an interesting problem.

Situation: I have an offline Enterprise Root Certificate Authority (Ent CA) with my Domain Controllers as subordinates in my test environment.  Overkill I know.  I have web enrollment setup, but in order to do some of the certificate options to work—and what you should use for everything on your CertSrv site—you need https working.

Easy enough…pop open the MMC and create a web server certificate request.  Easy cheesy, right?  Nope.  The certificate was created easily enough but when I tried to add the certificate to the site binding in IIS7 I got the follow evil looking and very generic error message.

 There was an error while performing this operation.  Details:    A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)

After some searching through the big series of tubes I found this wonderful article:

http://blog.freakcode.com/2009/02/iis7-certificate-binding-issue.html

Now we’re getting somewhere.  But here was my dilemma…I requested and installed the web server certificate on the actual server hosting the site and selected the option, when generating the certificate, to make the private key exportable.  So everything is already there, right?  Apparently not.

The solution: I exported the certificate, including the private key, to a pfx file, then imported that key back in to IIS7 (IIS Manager -> <Server> -> Server Certificates -> Import).  And then guess what happened?  No more error when adding the https binding and the site came up secure.  There was no duplication in the Certificates snap-in, and, as far as I looked, nothing really changed on the server…but that “make private key exportable” flag buried somewhere in the bowels on Windows that I couldn't find.  What a weird, weird bug.

 #James Kehr