Login/Register
SSL Certificate add failed when binding to port
Asked Answered
sslhttps
O

29

88

I created a WebService using WCF. I'm doing self hosting and I want to enable HTTPS. From my understanding for this to happen, I need to create a certificate and bind to the port that I want to use.

Here are the steps that I've done to handle this:

  1. Created a Certificate on my local machine to act as the Root Certificate Authority
  • makecert -n "CN=My Root Certificate Authority" -r -sv RootCATest.pvk RootCATest.cer
  1. Opened MMC.exe and imported the saved .cer file into the "Trusted Root Certificate\Certificates\ folder
  2. Created a temporary service certificate from the signed Root Certificate Authority
  • makecert -sk MyKeyName -iv RootCATest.pvk -n "CN=MyMachineName" -ic RootCATest.cer -sr localmachine -ss my -sky exchange -pe MyMachineName.cer
  1. Tried to Bind the Certificate to the Port number (443 in this case)
  • netsh http add sslcert ipport=0.0.0.0:443 certhash=2c5ba85bcbca412a74fece02878a44b285c63981 appid={646937c0-1042-4e81-a3b6-47d678d68ba9}

The result from step 4 is the following error:

SSL Certificate add failed, Error 1312

A specified logon session does not exist. It may already have been terminated.

Does anyone have a clue why I might be getting this error?

Olpe answered 25/10, 2012 at 20:42 Comment(3)
You have to import both the root certificate AND the self signed cert. Then it's working,Ehman
If anyone else runs into this problem and the answers in here do not clearly answer it, the underlying core problem is the private key needs to be imported. If you do not mark the certificate as exportable when you import it, the private key is not imported and you cannot bind it. If you delete it and re-import it and mark it as exportable, then it will work.Fennel
For me the problem was solved by instead of installing the certificate in CurrentUser/My, I (re-) installed it in Local/My .. that was all I had to do.Fairly
T
70

I had the same error. The first time it occurred, as Micheal said, I had to move the certificate under Certificates(Local Computer) -->Personal -->Certificate folder. I had the same error when I imported the same certificate on another machine. The reason was that I was using certmgr.msc to import the certificate. . The window opened thus shows “Certificates – Current User”. Certificates imported using this window cause netsh to fail with the 1312 error. Make sure to use certificate snap-in in MMC to import certificates. The certificate snap-in from MMC shows “Certificates (Local Computer)”. This lets the netsh execution sail through.

Ternopol answered 18/4, 2013 at 18:2 Comment(4)
ditto. That had me for half a day. Thanks so much - M$ please make this more obvious!Babysit
I would like to add bounty to this answer, but it is not selected as the right one..Carltoncarly
If you specify which store the certificate resides in (with certstorename=WebHosting for instance), it works. learn.microsoft.com/en-us/windows/desktop/http/add-sslcertDav
I had to delete the https binding using netsh http add sslcert hostnameport=**:443 certhash=*** appid={***} certstorename=MY then delete the cert and import it again, when i did the import using mmc and certificate, it also imported the signing cert.Southern
B
52
SSL Certificate add failed, Error 1312

A specified logon session does not exist. It may already have been terminated.

I used to have the exact same problem and spent a couple days trying to figure out what the reason was.

To make the long story short: the problem is that you have installed the certificate on the winrm server that does not have PRIVATE KEY.

I have checked this several times. You have to delete your certificate and rebuild it by using makecert for instance, as it is described perfectly here: link

You can easily check if your certificate has private a key as so: mmc - certificates - local machine - personal. Look at the icon of the certificate - it MUST have key sign on the icon.

Berget answered 20/11, 2014 at 13:5 Comment(7)
It resolves my case, exactly. The key point is the icon with a small "key" at the left top corner. Without the "key", 1312. With the "key", success!Minion
This was also my case. I had seen the missing key icon, but I didn't give it much importance. Shame on me.Moujik
If you have a certificate WITHOUT a private key (no Key symbol in upper left corner of certificate icon in SnapIn), YOU CAN ADD A KEY following these steps: support.microsoft.com/en-us/kb/889651 - CAUTION! As with other things related to this, you may end up with a non-printable character (Question Mark in console window) between the opening double quote and the first digit of a Thumbprint or Serial Number if you copy/paste the key from the Details dialog box for the certificate. Delete it! Example: certutil -repairstore my "?ad 59...etc... That '?' needs to go.Nahshun
Sometimes the key sign on the icon is not enough to verify that the certificate has a private key. The reference to the key may have been lost, and you can check this by trying to export the certificate including the private key.Cruces
This was the key for me. No pun intended! I kept importing the .crt file to no avail; importing the .pfx file, which then displayed the key icon, did the trick.Estep
your link seems to be dead. " We're no longer updating this content regularly. Check the Microsoft Product Lifecycle for information about how this product, service, technology, or API is supported."Thais
i have replaced the dead web urlBerget
C
35

I have bought an official Thawte certificate to secure a self hosted (console application) web service over a specific port on our internet server. I then have received the Thawte certificate and installed it with mmc on our Internet server (the certificate then was viewable under „Trusted Root Certification Authorities“ (with the key icon on the image, what shows that the certificate contains a private key what is mandatory to be able to bind it to a port b.t.w.) .

Next step was to enable the <port> for https:

netsh http add urlacl url=https://+:<port>/ user=everyone

(what was no problem)

Next step was to enable the port () for https:

netsh http add sslcert ipport=0.0.0.0:<port> certhash=<thumbprint to certificate> appid={<guid to application>}

This has failed with the error message:
SSL Certificate add failed, Error: 1312 A specified logon session does not exists. It may be already have been terminated.

I then have searched the Internet and tried various suggested workaround’s (without success).

The solution for my case was to add certstorename=Root to the netsh command: 

netsh http add sslcert ipport=0.0.0.0:<port *1)> certstorename=Root certhash=<thumbprint to certificate *2)> appid={<guid to application *3)>}

Notes:
If no certstorename is applied to net netsh command, netsh takes the default, what is MY (what targets the certificate store: “Personal” where self signed certificates are stored normally).
Root targets the certificate store: „Trusted Root Certification Authorities“

*1): The port, you want to use the connection
*2): You can extract the thumbprint to the certificate, if you open the certificate (on a windows system, just doubleclick the certificate in explorer) - select tab “Details” and click on “Thumbprint”. The “thumbprint” then is showed and can be copied. Copy the Thumbprint and remove all spaces...
*3): As appid you can take any ID in the form {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} as the APPID is only informative. With the command “netsh http show sslcert” you can query the bound certificates on the whole machine and the will see informative, which appid is bound to which certificate (not really helpful in practice b.t.w.) In my case, I have took the (from VS generated) GUID to my web service application

Comedo answered 18/1, 2017 at 13:20 Comment(3)
In my case (IIS 10 on Windows Server 2016) I had to set certstorename=WebHosting because I had imported the certificate into the WebHosting cert. store (the options for the cert. store in IIS Manager were Personal or WebHosting so I went with WebHosting).Cordova
I also had to set certstorename=WebHosting as per @SeaNDol
Thanks. I was facing CORS issue in Firefox connecting my WCF service. Your answer solved my issue. I have facing CORS issue because my web application is https while WCF is http.Econah
M
21

I had been dealing with this issue and I'm using a self-hosted WCF service. I just made the breakthrough:

I had a certificate in the personnel folder for the Machine store. It expired and my manager issued a new one. The new one failed for me with this error. I tried a lot of stuff from Google but in the end, resolved the issue using a completely different solution.

I installed both certificates- the expired one and the newer one. Then I used this command to get a list of them:

certutil -store My

I get this output (info is fake and other certificate are not listed):

================ Certificate 1 ================
Serial Number: 6d
Issuer: [email protected], CN=VoiceTrust Server CA, OU=VoiceTrust Oper
ations, O=VoiceTrust
 NotBefore: 03-Jan-2013 3:33 PM
 NotAfter: 03-Mar-2013 3:33 PM
Subject: [email protected], CN=hornet.voicetrust.com, OU=Software Develop
ment, O=VoiceTrust eServices MENA FZ LLC, L=Dubai, C=AE
Non-root Certificate
Cert Hash(sha1): 98 5f a0 d3 11 6a 4b 64 3b db 0a a4 11 66 fc 08 28 74 7e 53
  Key Container = {E5BC0912-7808-4B89-B457-31946DE5990E}
  Unique container name: dfedfcc149408fb990a3bacd6d31126b_3277b2c9-9894-46d0-9b6
4-30f0d6589239
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Private key is NOT exportable
Encryption test passed

================ Certificate 2 ================
Serial Number: 6d
Issuer: [email protected], CN=VoiceTrust Server CA, OU=VoiceTrust Oper
ations, O=VoiceTrust
 NotBefore: 03-Nov-2013 3:33 PM
 NotAfter: 03-Dec-2013 3:33 PM
Subject: [email protected], CN=hornet.voicetrust.com, OU=Software Develop
ment, O=VoiceTrust eServices MENA FZ LLC, L=Dubai, C=AE
Non-root Certificate
Cert Hash(sha1): 30 5f a0 d3 11 6a 4b 64 3b db 0a a4 11 66 fc 08 28 74 7e 53
  Key Container = {E5BC0912-7808-4B89-B457-31946DE5960E}
  *Unique container name:* 55edfcc149408fb990a3bacd6d31126b_3277b2c9-9894-46d0-9b6
4-30f0d6589239
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Private key is NOT exportable
Encryption test passed

Now, everything seems OK but certificate 1 is expired and works if I try to bind it to a port whereas Certificate 2 fails with Error 1312.

The key difference that baffled me was the Unique container name property. It should be representing a physical key file on the hard drive in the %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\

For Certificate 1, the file was there but for Certificate 2, there was no such file. After searching I found the file against Certificate 2 in the sub folder of %AppData%\Microsoft\Crypto\ folder. That's user specific keys not Machine level keys. It's amazing that the certificate is being imported into Computer store yet it always keeps the container key of User's store.

I deleted the '55edfcc149408fb990a3bacd6d31126b_3277b2c9-9894-46d0-9b64-30f0d6589239' file under the AppData folder and ran the repair command for my certificate 2 on the store:

certutil -repairstore My 2

This time, the Unique container name was reflecting a file in the proper folder under '%ProgramData%\Microsoft\Crypto\' and everything started working.

Hope this is helpful to someone.

Merv answered 4/11, 2013 at 11:20 Comment(1)
This helped me understand my problem. I used OpenSSL to generate a root CA and SSL cert. When I ran "certutil -store My", the SSL cert said "No key provider information". I executed "openssl pkcs12" against the SSL cert and it now shows "Provider = Microsoft Enhanced Cryptographic Provider v1.0".Vondavonni
U
9

I've been fighting error 1312 all day, what fixed it for me was to import the certificate in mmc as a .p12 file instead of a .crt. If you are creating it with OpenSSL then once you have created the .crt, do:

pkcs12 -export -in server.crt -inkey server.key -name “Your Name” -out server.p12

As described. When you go to import it in mmc it will be a called "Personal Information Exchange" file (and apparently a .pfx file would also work).

I'm new to writing servers and dealing with SSL and I have no idea why this works, but I hope it helps.

Undercoat answered 3/6, 2014 at 22:47 Comment(2)
The first answer that worked for me, not using a self signed cert, but an "official" ssl cert. I simply used the mmc cert management tool to export the full certifcate chain to pfx / p12.Tankersley
I used a self-signed cert created in PowerShell, but received the error in the original question. I only got it working when importing the .pfx into the trusted store, not when importing the .cer.Paquito
H
7

I my case the problem was that the CER file hasn't private key attached.

I've attached PK using those OpenSSL commands:

openssl x509 -in server.der -inform DER -out server.pem -outform PEM
openssl pkcs12 -export -in server.pem -inkey serverkey.pem -out server.p12

Works for CER/DER files.

Harriott answered 11/6, 2014 at 11:10 Comment(0)
O
6

The problem was in step 4. I was using the Thumbprint from the Root Certificate for the value in certhash. To solve this I had to go back to the MMC and refresh the Certificates(Local Computer) -->Personal -->Certificate folder. Then use the Thumbprint from the certificate that is "Issued By" the Root Certificate Authority.

Olpe answered 26/10, 2012 at 18:12 Comment(0)
E
5

I had the same problem and solved importing the certificate using this command:

c:> certutil -importPFX certname.pfx

Now the certificate appear using this command:

c:> certutil -store my

before this command the certificate doesn't appear

Estate answered 26/10, 2015 at 16:43 Comment(1)
This worked for me. 1. c:> certutil -importPFX mynewcert.pfx 2. c:> certutil -store my 3. netsh http add sslcert ipport=0.0.0.0:8000 certhash=<myhash> appid='<mycert>' 4. My netsh "add" error is resolved.Zondra
C
5

This might seem obvious; however, I think it can save someone some time of head scratching. I had imported a file with .cer extension under my Personal certificates folder (for the Personal Computer account). After a while, I realized that I needed to import the file with the *.pfx extension instead. Fixed that and voilà! Problem solved!

Chronister answered 9/1, 2017 at 17:13 Comment(2)
That seems obvious but when you don't realize that you need that PFX ... Thanks !Pervasive
this helped me to fix same issue too. Once I understood that the .cer file contains only the public key... Then I create the pfx file with this command: openssl.exe pkcs12 -export -in Certificat.cer -inkey CertificatePrivate.key -out MyCertificate.pfx -> and import it successfully.Aklog
F
4

If anyone else runs into this problem and the answers in here do not clearly answer it, the underlying core problem is the private key needs to be imported. If you do not mark the certificate as exportable when you import it, the private key is not imported and you cannot bind it. If you delete it and re-import it and mark it as exportable, then it will work.

It also needs to be the local machine store as others have pointed out.

Fennel answered 27/9, 2017 at 21:0 Comment(1)
The last line of this answer got me on the right track. I was running into the same 1312 error with the Certificate in the WebHosting Certificate Store. I added it to the Personal Certificate Store which resolved the error. Apparently it's using certstorename=MY which is the enum for The X.509 certificate store for personal certificates.. There appears to be no enumeration for WebHostingCompetitor
C
2

There are multiple ways of receiving this error (see above for other answers).

Another way to receive this specific error is to attempt to bind a certificate to a port when the certificate is not in the appropriate store.

Verify that the certificate is stored in the localMachine Root store (you can use certutil or certmgr.exe from command line to dump it correctly).

updated grammar :)

Catfall answered 7/1, 2014 at 21:25 Comment(0)
O
1

If:

  1. you didn't have IIS on your machine (working with self-hosted WCF let's say), and
  2. you made your cert request on another machine using IIS Manager (because you didn't understand that the private key comes from ciphers embedded in the cert request - and later the issued .pb7)

then:

  1. just go install the .pb7 on the IIS machine you used to make the cert request (local machine/personal/certificates - using mmc);
  2. export the cert from that machine, including its private key (assign password); and
  3. install it using mmc on the WCF server (local machine/personal/certificates - using mmc).

Then, netsh will let you bind to port 443. No more 1312 errors.

Oconnell answered 3/4, 2015 at 19:9 Comment(0)
K
1

Just to throw yet another answer into the ring, this is the problem I had:

Although I imported my certificate into the (Local Computer)\... certificate store, I had imported it into the Trusted Root Certification Authorities section. I needed to import it into the Personal section, otherwise this error occurred.

Kulda answered 24/2, 2016 at 16:12 Comment(0)
G
1

In my case while creating the certificate I chose a different name than My for my Cert Store name. The default name is MY. So if yours is different append certstorename=Your provided store name to the command.

Glochidium answered 17/1, 2017 at 7:28 Comment(0)
P
1

In my case, i have missing the certificate private key.

Primateship answered 3/12, 2018 at 17:12 Comment(0)
D
1

IF you imported the certificate using .NET, specific import flags must be used:

/// <summary>
/// Imports X.509 certificate from file to certificate store.
/// </summary>
/// <param name="fileName">Certificate file.</param>
/// <param name="password">Password.</param>
/// <param name="storeName">Store name.</param>
/// <param name="storeLocation">Store location.</param>
public static void ImportCertificate(string fileName, string password, StoreName storeName, StoreLocation storeLocation) {
    var keyStorageFlags =
        X509KeyStorageFlags.PersistKeySet
        | (storeLocation == StoreLocation.LocalMachine ? X509KeyStorageFlags.MachineKeySet : X509KeyStorageFlags.UserKeySet);
    var cert = new X509Certificate2(fileName, password, keyStorageFlags);
    var store = new X509Store(storeName, storeLocation);
    store.Open(OpenFlags.MaxAllowed);
    store.Add(cert);
    store.Close();
}

The ImportCertificate method is a part of the Woof.Security package created by me.

Darling answered 18/7, 2019 at 17:44 Comment(0)
Z
1

This is my summary of all the fixes in this thread and how it worked for me:

  1. Find "Windows PowerShell", right-click on the icon, and choose "run as administrator".
  2. Find "Wordpad", right-click on the icon, and choose "run as administrator". (this is so you can copy and paste between PowerShell and Wordpad.)
  3. In PowerShell run "netsh HTTP show sslcert".
  4. From the info that shows, copy the "Certificate Hash", "Application Id", and "Certificate Store Name". (You'll need all these in a moment.)
  5. (If you need to) locate your *.cer or *.crt file and export it as a *.pfx file.
  6. In Powershell, navigate to the folder of your *.pfx file.
  7. Now run "certutil -importPFX .pfx".
  8. Then run "certutil -store my" to show the installed certs.
  9. Now using the info from step #4 run this "netsh http add sslcert ipport=0.0.0.0:8000 certstorename= certhash= appid='' (I had to put them in this order, with my cert store name, and single quotes around the app id.)
  10. Check that the SSL cert was added by running "netsh HTTP show sslcert" again.
Zondra answered 23/2, 2021 at 22:51 Comment(0)
A
1

I was getting this error when trying to deploy from an Azure Devops pipeline to a Windows Server box running IIS. The pipeline should deploy the site to IIS and then create an https binding where the existing certificate in the computer cert store was referenced by it's thumbprint. In the pipeline the thumbprint was meant to be drawn from variable group - however the correct variable group wasn't linked to the pipeline (and the variable name was wrong) - so it got nothing.

Basically the wrong thumbprint was being used to identify the cert, I suspect it wasn't giving a standard "can't find the SSL cert" message because I was attempting to find the cert with a null.

Alvaalvan answered 22/11, 2022 at 4:32 Comment(0)
P
0

I had exact same problem eventhough my .pfx file had private key. Adding of certificate with MMC console was successful, but adding programatically using .Net X509Store.Add(X509Certificate2) method failed every time with error 1312. Certificate even had a key sign on the icon.
After several days finaly decided to make new certificate using makecert.exe as suggested in posts here. After that everything was fine. Key appeared in %ProgramData%\Microsoft\Crypto\RSA\MachineKeys. For some reason my earlier pfx file was not compatible.

In my experience, as long as your key in not appearing in %ProgramData%\Microsoft\Crypto\RSA\MachineKeys\, binding with 'netsh http add sslcert ....' will fail.

Palaeontography answered 29/1, 2015 at 8:37 Comment(0)
G
0

The certstorename argument should be the string value of the StoreName enumeration from the .net framework namespace System.Security.Cryptography.X509Certificates.

Godmother answered 9/6, 2016 at 14:45 Comment(0)
Z
0

I've being working on this for hours, and basically read through what @DoomerDGR8 said above, but my fix was a lot more simple. I ran 

 C:\Windows\system32> certutil -store TRUSTEDPUBLISHER

This listed several certificates I have installed, I then ran repair store on the certificate that I was having a problem installing with netsh. 

C:\Windows\system32> certutil -repairstore TRUSTEDPUBLISHER 6

The number 6 at the end represents the index of your certificate, found at in the store, hope this helps

Zugzwang answered 11/7, 2016 at 16:9 Comment(0)
P
0

I had the same error when creating self signed certificate with OpenSSL(BouncyCastle) I resolved it with help from this post: Cannot export generated certificate with private key to byte array in .net 4.0/4.5

I had to add:

        RsaPrivateKeyStructure rsa = RsaPrivateKeyStructure.GetInstance(seq); //new RsaPrivateKeyStructure(seq);
        RsaPrivateCrtKeyParameters rsaparams = new RsaPrivateCrtKeyParameters(
            rsa.Modulus, rsa.PublicExponent, rsa.PrivateExponent, rsa.Prime1, rsa.Prime2, rsa.Exponent1, rsa.Exponent2, rsa.Coefficient);

        var rsaPriv = DotNetUtilities.ToRSA(rsaparams);

        var cspParams = new CspParameters
        {
            KeyContainerName = Guid.NewGuid().ToString(),
            KeyNumber = (int)KeyNumber.Exchange,
            Flags = CspProviderFlags.UseMachineKeyStore
        };

        var rsaPrivate = new RSACryptoServiceProvider(cspParams);**

        // Import private key from BouncyCastle's rsa
        rsaPrivate.ImportParameters(rsaPriv.ExportParameters(true));

        // Set private key on our X509Certificate2
        x509.PrivateKey = rsaPrivate;
Phaih answered 31/1, 2017 at 10:46 Comment(0)
U
0

So to add (yet) fix/situation.

I had C# code that used BouncyCastle to create self-signed certificates.

<packages>
  <package id="BouncyCastle" version="1.8.1" targetFramework="net45" />

So my code created the certificates AND placed them in the correct locations in the Cert-Store.

Using the hints here, my install of On Premise Service Bus 1.1 was failing...and that led me here.

I ended up DELETING both certificates my BouncyCastle code had created (from the cert store) and reimporting them (with private keys)....and it all worked. I imported FIRST to the

Certificates (Local Computer) / Personal / Certificates

then I copied pasted (in the mmc) to any other places (stores) I needed them.

My "before" and "after" looked exactly the same from my eyes in MMC, BUT it fixed the issue. Go figure.

Usurpation answered 28/4, 2017 at 19:37 Comment(0)
L
0

I just had yet another error. I renewed an expired cert for our WorkFolders service from our CA using the same private key. Then I always got Error 1312. Even if Certificate Management shows I have a private key.
I could only solve the problem by re-issuing a new certificate (without the renew option). Then it worked on the first try.
Maybe this will help someone who also tried the renew option.

Lorilee answered 8/5, 2017 at 10:56 Comment(0)
P
0

For me the problem was solved by ensuring that the certificate hash I was using in my command line, corresponded to the certificate installed on my server:

netsh http add sslcert ipport=0.0.0.0:8081 certhash=1061a577f0cc1c428186000dc84f02a7111ca1b2 appid={GUID}

Parsonage answered 9/6, 2020 at 15:14 Comment(0)
D
0

On my side, the files provided were a P7B file together with a bunch of cert files. After getting stuck, I asked for my colleague's help and he gave me an idea to import the certificates together with the private key via a PFX.

This article gave me the instruction to convert the P7B file into PFX. To summarize, you simply have to do the following:

  1. Use openssl to convert the P7B file into PEM first
  2. Convert the PEM file into PFX

You can now import the PFX file. Better to read the article I stated above because it has significant information to note.

Devlen answered 28/8, 2020 at 15:4 Comment(0)
P
0

Finally I solved it. The problem is the certificate file. I tested it other mac and failed it. Here is my solution.

  1. Remove .cer file
  2. Re-create certificate file.
  3. If failed, also re-create CSR file.

Thank you.

Prairial answered 14/6, 2022 at 9:2 Comment(0)
A
0

Looks like this is a generic error. My fix is unlike all the rest.

Using Azure Devops for a deployment, the step IIS Web App Manage has the cert hash buried/hidden in IIS Bindings (which the only way to see the cert hash is to edit that specific piece), so you have to update the hash so it matches on the server you're deploying to. And voila, you're set.

Angelineangelique answered 14/9, 2022 at 21:14 Comment(0)
O
0

After trying multiple solutions without success, I had the .pfx sitting on my desktop and right-clicked and chose Install PFX. I walked through the process that way and... it worked. I'm clueless as to why, but maybe that'll help someone.

Octarchy answered 12/10, 2023 at 15:24 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.