Tuesday, 3 July 2012

Certificate Bugs - Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.

Welcome to my world - simple things that should work fail miserably due to bugs in products.

Problem
This time I was attempting to add a certificate to a port in order to allow a self-hosted WCF service to work over HTTPS. Most examples are about IIS, which is simpler.

The command was this:

netsh http add sslcert ipport=0.0.0.0:9011 certhash=80f06fa16c2dee8abccddbcb1c0694e7e0c5ffdd appid={08AAC041-869A-4C12-AF5B-999D0F4ABC43}

but it was returning an error:

Certificate add failed, Error: 1312 A specified logon session does not exist. It may already have been terminated.

There are lots of blog entries out there, but in the end I found my problem was due to import bugs in MMC.

There are a couple of checks to make first though:

1. The certificate that you are using to run the HTTPS MUST have a private key.
Therefore when you are creating the certs, create them with the following commands:

makecert -sk testRootCA -sky signature -sr localmachine -n "CN=RootTrustedCA" -ss TRUST -r RootTrustedCA.cer (to make the root cert)

makecert -sk testServer -ss MY -sky exchange -sr localmachine -n "CN=Server" -ic RootTrustedCA.cer -is TRUST Server.cer -pe (to make the HTTPS server cert signed by the previous)

2. Check whether the hotfix is applicable (it wasn't for me).

3. Try this excellent tool and see whether it gets round the 1312 error (though it is unlikely to if you had the same problem as me).

Solution
Create the certificates as described above. Ensure the server certificate has the private key.

Then I imported the RootTrustedCA into the Trusted Root Certification Authorities store. NOTE - you must do this for the Local Computer account when you open MMC.

Then I imported the Server certificate into the Personal Certificates store.

But here is the thing. If you look at the certificate at this point, it is missing the key symbol indicating that it has a private key. Somehow it has lost the private key.
How did I fix this? Simple, run the makecert command again, and refresh MMC and you'll see that the certificate has gained it's private key. There is obviously some horrible bug there.

Now double-click on the certificate and grab the thumprint. Enter this into the netsh command.

netsh http add sslcert ipport=0.0.0.0:9011 certhash=80f06fa16c2dee8abccddbcb1c0694e7e0c5ffdd appid={08AAC041-869A-4C12-AF5B-999D0F4ABC43}

and hopefully you'll get:

SSL Certificate successfully added

3 comments:

  1. Thank you for your good advice. You save my night. Best wishes from Russia.

    ReplyDelete
  2. where do we want to the makecert command

    ReplyDelete
  3. where do we run the command (makecert)

    ReplyDelete