1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 7:08 am May 21, 2026

Forum Moderators: phranque

Message Too Old, No Replies

How to add / import SSL keys into NT4/IIS4?

         

SumGuy

1:20 am on Oct 5, 2018 (gmt 0)

5+ Year Member Top Contributors Of The Month



I started the recent thread "Do I need to convert my company website to https?" and the take-away was that it should be pretty easy to do, so why don't I do it?

So here is where I'm at in this process. My site is currently running on an NT4 server running IIS4.

There are a number of files used in the creation of a domain validation SSL certificate:

I used the ZeroSSL online tools [zerossl.com...]

I used the SSL Certificate Wizard, entering only my email (email@example.com) and company domain (example.com and www.example.com) as the domains.

This generated a CSR file, which I downloaded: "csr" appears in the filename, the beginning sequence of which is: -----BEGIN CERTIFICATE REQUEST-----

Next the wizard generated an account key, which I downloaded. The text "account-key" appears in the filename, and it begins with the sequence: -----BEGIN RSA PRIVATE KEY-----

The next stage is verification, where the wizard requires the creation of specific filenames with specific contents: The web page tells you what they are. There is one file for each domain, so two files - one for www.example.com and the other for example.com. These are created under <webdsite-root>\.well-known\acme-challenge.

Once verified, the wizard presents an account ID (new-account-key.txt) which is a short sequence of digits: It's used in conjunction with the email entered into the wizard to facilitate recovery of the certificate(s)/keys.

I download the certificate (new-domain-crt.txt) which begins with the sequence: -----BEGIN CERTIFICATE-----

There are two such entries in the file (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) : I assume 2 entries for the two domains.

I downloaded the domain key (new-domain-key.txt) which begins with the sequence: -----BEGIN RSA PRIVATE KEY-----

I've placed all the these files on the NT4 server. The wizard talks about using the domain certificate with the domain key, not the LetsEncrypt key. I believe the LE key is called the Account Key, and can be used when renewing the domain certificate & key without going through the verification process again.

On the NT4 server, in the Key Manager, under Key, I can Create New Key, or Import Key. I assume that I've already created the key, so I select Import Key. I'm asked for the location of 2 files (which right now I can't recall but I assume these are what I created above) and it's asking for a password, for which I have no clue what sort of password it wants. At no point was I asked for a password: I don't know what IIS4 expects here. The text box is short, so I doubt it's a key. I've tried my nt4 admin password, but I get an error when I go forward with that. So that's where I'm kinda stuck right now.

justpassing

8:23 am on Oct 5, 2018 (gmt 0)

5+ Year Member Top Contributors Of The Month



i know this is off topic, but may be you should consider upgrading to a much more recent version of ISS/Windows. NT4 is very old, and I suspect it contains security holes, which are no longer fixed since a while since a while.

[edited by: engine at 1:09 pm (utc) on Oct 5, 2018]
[edit reason] Edit typo at member request [/edit]

dstiles

10:19 am on Oct 5, 2018 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



NT4 does not support many features needed for HTTPS sites. Even the Windows version I use, Server 2012, struggles with some features such as TLS v1.3. Also, I don't think LetsEncrypt will work - never got it working on my server, anyway.

SumGuy

12:37 pm on Oct 5, 2018 (gmt 0)

5+ Year Member Top Contributors Of The Month



We run no server-side scripts, so I'm not interested in changing the server OS due to security or hackability (after operating for 19 years I'm sure it's not hackable now). I'm only looking at this https stuff to see if there's some people that browse to our site and are turned off because it's only http not https.

I forgot to mention that in addition to creating the account-key.txt file, a csr.txt key (CertificateSigningRequest) is also created. I think what happens is that the account-key is used to securely transfer the CSR to the certifying authority. The CSR contains (encrypted) the domains for which you want a domain validation certificate. I think that if the domain information doesn't change (hence the same CSR file), you can use the account-key with the CSR to renew the certificate (the domain-crt.txt) and the domain-key.txt without going through the validation steps again.

I believe the 2 fields requested by the KeyManager are the domain-crt.txt file and the domain-key.txt file. The password textbox appears in the same dialog box as a third field and appears quite short, although I never attempted to determine its maximum length.

...And there's more. The DV (domain validation) certificate is a "baseline" certificate. We probably want an EV (Extended Validation) certificate - The one required by modern browser to put a green, closed padlock (e.g. Firefox) next to the URL. This requires a more rigorous validation process by a CA, such as validating the government-issued business number, telephone/FAX numbers, physical address validation, etc. See [en.wikipedia.org...] more info. After all, a malicious entity can create a phony website (maybe using internationalized domain names (IDNA). i.e. punycode) to mimic a legit website, whose URL can be contained in a malicious email, etc. Since it's under the fraudsters' control, the validation process to obtain a DV certificate (such as what LetsEncrypt gives us) is trivial.

justpassing

3:08 pm on Oct 5, 2018 (gmt 0)

5+ Year Member Top Contributors Of The Month



I'm not interested in changing the server OS due to security or hackability (after operating for 19 years I'm sure it's not hackable now)

hum...
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. WebmasterWorld / Webmaster General 7:08 am May 21, 2026