Entrust Certificate Services Support Knowledge Base

Audience: Intermediate
Last Modified: 2008-11-26 14:46:26.0

TN 5656 - Why do I receive "The page cannot be displayed" when using SSL?

Applicable to: Windows 2000 and Windows 2003 running IIS

If you are receiving a page cannot be displayed when connecting through https:// for your site.

Below are steps to scenarios which will help you troubleshoot and possibly resolve the issue.

Step 1 - Check your Port

From the machine that you are using to test your https:// connection, make sure Port 443 is open for TCP inbound/outbound

At a command prompt type:

C:\telnet http://www.yoursitename123.com/ 443
If you receive a blank screen and the cursor is flashing at the top left of screen, hit Ctrl-C on your keyboard a few dozen times to break the connection
You will recieve the message "Connection to Host lost". This means that Port 443 is open on your server.
If you receive the message "Connecting To www.yoursitename123.com... Could not open a connection to host on port 443 : Connect failed"
This means that Port 443 is closed. Open the Port up on the firewall and check the properties of the site to make sure Port 443 is being used for SSL.

Step 2 - Check your SSL Certificate installation

If No Pening Request was Found during your IIS certificate import, some things to look for are:

Are you installing the certificate into the same site and server that generated the request?
If so, try the following:

Use the following steps to create a new Microsoft Management Console (MMC) and add the Certificates snap-in:

1. Click Start, and then click Run.
2. Type in "MMC" (without the quotation marks) and click OK.
3. Click Console in the new MMC you created, and then click Add/Remove Snap-in.
4. In the new window that appears, click Add.
5. Highlight Certificates, and then click Add.
6. Choose the Computer account option and click Next.
7. Select Local Computer on the next screen, and then click Finish.
8. Click Close, and then click OK.

Confirm the Pending Request

1. Expand the list of certificate folders and browse to a folder called "Request(s)"
2. Check to see if you have a pending request, if so, proceed with the following, if not please refer to http://www.entrust.net/ssl-technical/miis60/csr.cfm and email Entrust your new CSR along with your order number. We will reissue the certificate. If you currently have or would like to use an existing certificate which is different from the one Entrust has issued, please follow this MS KB article
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q295281

Import the Entrust server certificate

1. Right click on the "Request(s)" folder and choose "All Tasks" / "Import"
2. Run the wizard and browse to the server certificate.
3. Finish the wizard.
4. Since your specific request is present in the folder, the cert will bind to this request. Click OK.

Move the keypair to the proper folder

1. Drag N Drop the Entrust SSL Certificate to the "Personal" folder, this will create a "certificate folder"
if not already present. If the certificate folder is already present under "Personal", drap N drop to this folder. Close MMC

Assign the certificate through IIS 5.0, 6

1. Launch IIS 5
2. In the properties of the main site, browse to Directory Security, run the "Server Certificate Wizard"
3. Choose the "Assign" value. If not present, remove any pending request or certificate that is presently assigned, re-start the wizard.
4. Make sure TCP port 443 enabled in the SSL section of IIS

Step 3 - Check your IP bindings

The default Web site is always bound to the Internet Protocol (IP) address and the port combination of "All Unassigned:443" for Secure Sockets Layer (SSL), even though you do not have a certificate bound to the site.

This problem can occur when another Web site on the server has a certificate bound to it and is listening on the IP address and port combination of "All Unassigned:443" for SSL requests. As a result, when a request comes in for a page over HTTPS, the request goes to the default Web site instead of the intended site because the default Web site is also listening on port 443 on "All Unassigned"

Stop all sites.  Assign the actual IP address to the site using the certificate. Start up all sites and test your https:// connection to the server. Please note that if you are hosting multiple sites with SSL, each site requires it's own unique IP address in IIS.

Step 4 - Check your permissions on MachineKeys

Please try the following to make sure the proper directories have permissions in order to use the keypair.

Change the permissions to the Machinekeys directory and the keys to allow the Administrators group and System account to have full control. To do this, perform the following steps:

In Windows Explorer, right-click on the \Documents and settings\All Users\Application Data\Microsoft\Crypto\RSA\Machinekeys directory or

\Documents and settings\All Users.Winnt\Application Data\Microsoft\Crypto\RSA\Machinekeys directory

Note: These are hidden files. To view these folder and files, select the Show hidden files and folders radio button.

1. Click the Security tab.
2. Click the Add button.
3. In the Look In: dialog box, select the local machine.
4. Add the Administrators group with Full Control.
5. Click Advanced, and then click Add.
6. Select the Everyone group, and then click OK.
7. Make sure the following check boxes are selected:
List Folder / Read Data
Read Attributes
Read Extended Attributes
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Read Permissions

Note: These are the default settings.
8. Click OK.
9. Select the Reset Permissions on all Child objects and enable propagation of inheritable permissions check box.

Affected Products:

• Entrust Certificate Services 1 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 1 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 2 Year Advantage SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services Enhanced Service Account Version Not Applicable Language Not Applicable Platform Not Applicable
• Entrust Certificate Services Web Hoster Service Account Version Not Applicable English Platform Not Applicable