Do I need to install all the certificates that I received?

Yes, if you do not install all the received certificates you will receive not trusted messages when you go to the secure area of your web site.

I have accidentally deleted my "pending request" or "private key"

First check your backups and see if you can re-install the "pending request" or "private key". If you don't know how to re-install the key from your backups, then contact your systems administrator. Failing that, contact your server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a replacement CSR.

I am being told that my Certificate/Key is invalid

There may not be a corresponding 'private key' or 'pending request' or the key that is found is not the one that matches the certificates.

Do I need to use IP based hosting or Name based hosting?

Name based hosting is rarely used in production environments.
IP based hosting should be used due to the way that the SSL protocol works.

I get 'The Page Cannot Be Displayed' when going to the HTTPS page

Is the SSL port opened, this is usually port 443?
Is the firewall set to allow the SSL port through?
Has the server been rebooted?
Make sure 'Use SSL 3.0' is ticked in the web browser options.

I get the message "There are secure and non-secure items on the page? Would you like to proceed?"

The error means that there are embedded objects or HTML tags on the page that are not being called absolutely secure. For example, a page that is loaded securely (HTTPS), and contains an image tag within the source code such as IMG SRC =http://www.yyy.com/image.gif. In this case the image is being called absolutely using the non-secure (HTTP) protocol.

Can I change the IP address?

The certificate is not bound to any specific IP address. It is bound to the fully qualified domain name such as www.comodo.com.

When I access my secure site (https), a certificate for another site is displayed

This problem occurs if you assign the same IP address to each host in your config file. SSL does not support name based virtual hosting (host headers are encrypted in SSL), so only the first certificate listed in your config file will be sent.

Browsers are saying that something is not trusted

The Root Certificates and/or Intermediate Certificates may not be installed correctly. This can be checked by clicking on 'View Certificates' when you get the error message and seeing if all three certificates are visible.
It may also be that the certificate being used is not for the Fully Qualified Domain Name, check again using 'View Certificates' to see if the domain name on the certificate matches the domain name in the URL that you are going to.
Check your Internet Option' and make sure that 'Use SSL 3.0' is ticked in the 'Advanced' section.

Error: "Schannel error = 80090304.Invalid Password"

There are quite a few possible causes for this error, please check each of the following below:

This error message can occur if you are specifying 2 text files and not a text file and a key file.
Usually the CSR and certificate are imported causing this problem.
The CSR and certificate are both public key files.
You must use the backup of your private key (.key).

When installing a certificate in IIS you need two files, a Private key file, which is in a .key file format and a certificate file, which is a .txt (text) format.

This error message can occur due to a bug in the schannel.dll file, which your server uses to store the key passphrase.

You can download a corrected schannel.dll file for NT.
Replace the schannel.dll on your IIS 3 server with this one.
The fix is also included in the Service Pack.

This error can occur if you generated your private key using ApacheSSL, and have transferred it over to an IIS machine; you must covert the key to a format IIS will understand, before you can import it. You will get this error if you try to import a key that Key Manager does not understand.

Follow the instructions below to convert a private key from Apache to IIS below:
Locate ssleay/openssl binary.
It should be on your path. The following commands assume that you can type "ssleay/openssl" directly. You may have to prefix the command with the path to the binary, or move the binary into your path, or update your path to include the directory containing the ssleay/openssl binary.

Locate the key.
Find the correct key. For example a file called www.sitekeyfile.com.key.


Convert the key to NET format.
The following command is used to create a copy of the key in "NET" format. You will have to give a passphrase to read the key if you are creating encrypted keys. You will then have to give a new passphrase to protect the new NET format key. The following command should produce a new key file in NET format:
ssleay/openssl rsa -in www.sitekeyfile.com.key -out www.site.com.iiskey -outform NET
Copy the key and the certificate to a floppy disk.

Start key manager and import the key.
Open key manager and select the Key menu item.
Select Import, and choose to import from a keyset file.
When prompted for filenames, give the filename of the key and the filename of the certificate on your floppy.
Click OK.
You will be prompted for a passphrase, this is the one for the NET format.
Backup your private key immediately to a Microsoft Key Backup file. Make a note of the passphrase you used to protect the backup and store the backup in a safe place. You should now have the key visible in your Key Manager, and you should be able to configure the SSL on the IIS server.

This error message can also occur if you are trying to install the certificate on the wrong key.
Check any other keys you have in Key Manager, to see if the certificate installs.
Your private key file can be found in Key Manager, under the www service, represented graphically by a Key Icon.

This error message occurs if you are using the incorrect password for the private key.
The password is case sensitive.

Error: "CAPI2 error = 80093005. Invalid Certificate"

There are a number of possible causes for this error
Make sure the certificate is in the correct format.
Check that the certificate starts with:
-----BEGIN CERTIFICATE-----
and also ends with
-----END CERTIFICATE-----
with no leading or trailing spaces before and after the Begin and End lines.
When selecting "Install a Key Certificate", make sure that you are specifying the correct path and filename to the certificate file.
This error may also be caused by a bug in the Service Pack. Follow these instructions to install the fix:
Download the Microsoft fix from the following URL:

Error: "The certificate is invalid. Please double-check that you have chosen the correct file. CAPI2 error = 80093009"

Make sure the certificate is in the correct format.
Check that the certificate starts with:

-----BEGIN CERTIFICATE-----
and ends with
-----END CERTIFICATE-----

with no leading or trailing spaces before and after the begin and end lines.

Error: "Cannot install the certificate because it does not match the certificate requested."

There are three possible causes for this error, please check each of the following below:
To install SSL you need to attach a Private key to a Public Key (Certificate file), check if you are using the correct files by doing the following:

Open the file you are using, and check that it is not your certificate request file, which would contain a -----BEGIN CERTIFICATE----- line.
You should be attaching a private key file to the certificate.
This file format is in a .key format (hexadecimal (binary) format) and not a text format.

This error will also occur if you are not attaching the certificate to the correct private key file.

This error will also occur if you have just recently renewed the Certificate and trying to install the old Certificate on the new Key. The Renewed Certificate can take up to 3 days to be issued.

Error: 'This page must be viewed over a secure channel'

Microsoft IIS is configured to require a secure channel.
Un-check the box that says 'Require Secure Channel'

I get an intermittent server not found message when trying to access my site.

If the web server is set to check the Certificate Revocation List and the server is down, this can cause a time-out of the operation.
This will not be the certificates, but something related to the browser timing out on the operation.

How do I backup my private key file in IIS4?

Go into Key manager within IIS4
Save the private key using the method: Key, Export Key, Backup File.
The default format is a .key file.
Store the exported key in secure location like a disk. It is important to make a copy of the private key that does not reside on the actual server; in the event of a server crash.
If you forget the private key password you won't be able to restore the private key.

Can I import my ApacheSSL based key into MSIIS?

You need to convert the private key to NET format, as follows:

openssl rsa -in server.key -out serverkey.net -outform NET

How to move a certificate from IIS 4.0 to Apache?

Export a backup file of the Certificate from the Key Manager.
From the Key menu in Key Manager, choose Export Key and then Backup File.
After reading the warning about downloading sensitive information to your hard disk, click OK.
Type the key name in the File Name box, and click Save.
The file is given a *.key file-name extension and is saved to a 3 1/2" disk on the a: drive or your hard disk drive.
Store the back-up file on the hard drive AND off the server.
Find this string in the binary file: "private-key".
Trace back until you find this Hex value: "30 82".
Write from that position to a new file (tmp.bin).
With OpenSSL: ssleay rsa -inform NET -in tmp.bin -out key.pem.
Type in your password.
The file that is created is the private key. You will use this key to install the certificate into Apache.

How do I move my certificate/key pair from IIS 4 to IIS 5?

First export the certificate from IIS 4/Windows NT.
From the Key menu in Key Manager, choose Export Key and then Backup File.
After reading the warning about downloading sensitive information to your hard disk, click OK.
Type the key name in the File Name box, and click Save. The file is given a *.key file-name extension and is saved to a 3 1/2" disk on the a: drive or your hard disk drive. You can then import it into the new server.

Second install the backup file to Microsoft IIS 5.
Open Internet Services Manager, or the MMC containing the Internet Information Services snap-in.
Expand Internet Information Services and browse to the Web site you need to import the key to.
Right-click on the site and then click Properties.
Click the Directory Security tab.
Under the Secure Communications section, click Server Certificate.
Note: If the site already has a certificate assigned remove the assigned certificate.
On the Web Site Certificate Wizard, click Next.
Select "Import a certificate from a Key Manager backup file". Click Next.
Browse to Key Manager backup file. The backup file must have a .key extension.
Type in the password that was entered when the key was created using IIS 4/Windows NT.
The backup is now successfully installed.

Error: "Improperly formatted DER message"

Netscape implemented the existing standards at the time of releasing Navigator 4.0, will crash when they see an unknown data type.
Do not include any Unicode characters in the CSR file submitted to us.
Unicode characters include:

! @ # $ % ^ * ( ) ~ ? > < & / \ : ; .

Port 443 must be enabled in two places in IIS4:

The first place that it must be enabled is in key manager
Right click the key in key manager, Properties and put 443 as the SSL Port.
The second place to enable Port 443 is in IIS Directory Properties
Right click the domain that is being secured (HTTPS), go into Properties, Directory Security and
enable port 443 as the SSL Port.

My certificate says it has a nonvalid digital signature, what can cause this?

  • The intermediate Comodo SSL Certificate has not been installed, you must use the one that came with the site certificate
  • The wrong intermediate Comodo certificate has been installed, you must the one that came with the site certificate