You are currently offline, waiting for your internet to reconnect

Troubleshooting "Invalid Password" Error Using SSL Certificates

This article was previously published under Q186796
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
SUMMARY
This article describes how to troubleshoot the "Invalid Password" errormessage.

NOTE: This error is a generic message that can indicate many differentproblems; the least likely being that the password is in fact, incorrect.This document provides a systematic approach to addressing, if notresolving this issue.
MORE INFORMATION
  1. Is the password being entered correctly?

    Password problems often result from having the CAPS LOCK key set on thekeyboard. Although this is often checked, it is mentioned for the sake ofthoroughness. Also double-check that you are not using an old password.
  2. Has the Signed Certificate been corrupted in some way?

    Because the Certificate is issued through e-mail, there are a fewformatting errors that may result. The Certificate may go through severalmail servers before it reaches the destination server and the mail isretrieved by an e-mail client that formats the document. cc:Mail is knownto add spaces at the beginning and end of each line of the Certificate.Outlook sometimes moves the "----End Certificate----" line up to the lastline of the Certificate. Manual removal of these formatting issues oftenresolves the "invalid password" error.

The following is a Signed Certificate as it may appear in the message youreceive from Verisign:
   -----BEGIN CERTIFICATE-----   JIEBSDSCEXoCHQEwLQMJSoZILvoNVQECSQAwcSETMRkOAMUTBhMuVrM   mIoAnBdNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMRwwGgYDVQ   QLExNQZXJzb25hIENlcnRpZmljYXRlMSQwIgYDVQQDExtPcGVuIE1hc   mtldCBUZXN0IFNlcnZlciAxMTAwHhcNOTUwNzE5MjAyNzMwWhcNOTYw   NTE0MjAyOTEwWjBzMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIER   hdGEgU2VjdXJpdHksIEluYy4xHDAaBgNVBAsTE1BlcnNvbmEgQ2VydG   lmaWNhdGUxJDAiBgNVBAMTG09wZW4gTWFya2V0IFRlc3QgU2VydmVyI   DExMDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDU/7lrgR6vkVNX40BA   q1poGdSmGkD1iN3sEPfSTGxNJXY58XH3JoZ4nrF7mIfvpghNi1taYim   vhbBPNqYe4yLPAgMBAAEwDQYJKoZIhvcNAQECBQADQQBqyCpws9EaAj   KKAefuNP+z+8NY8khckgyHN2LLpfhv+iP8m+bF66HNDUlFz8ZrVOu3W   QapgLPV90kIskNKXX3a   ------END CERTIFICATE-----				

However, if there is corruption in the document, it may look like thefollowing. Notice the spaces at the end of each line.
   -----BEGIN CERTICATE-----   JIEBSDSCEXoCHQEwLQMJSoZILvoNVQECSQAwcSETMRkOAMUTBhMuVrM   mIoAnBdNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMRwwGgYDVQ   QLExNQZXJzb25hIENlcnRpZmljYXRlMSQwIgYDVQQDExtPcGVuIE1hc   mtldCBUZXN0IFNlcnZlciAxMTAwHhcNOTUwNzE5MjAyNzMwWhcNOTYw   NTE0MjAyOTEwWjBzMQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIER   hdGEgU2VjdXJpdHksIEluYy4xHDAaBgNVBAsTE1BlcnNvbmEgQ2VydG   lmaWNhdGUxJDAiBgNVBAMTG09wZW4gTWFya2V0IFRlc3QgU2VydmVyI   DExMDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDU/7lrgR6vkVNX40BA   q1poGdSmGkD1iN3sEPfSTGxNJXY58XH3JoZ4nrF7mIfvpghNi1taYim   vhbBPNqYe4yLPAgMBAAEwDQYJKoZIhvcNAQECBQADQQBqyCpws9EaAj   KKAefuNP+z+8NY8khckgyHN2LLpfhv+iP8m+bF66HNDUlFz8ZrVOu3W   QapgLPV90kIskNKXX3a ------END CERTIFICATE-----				

It is important to reformat the document in order to ensure itsinstallation. Always follow this procedure if you suspect the Certificateis corrupt:
  1. Remove any blank lines occurring between the Begin and End Certificate markers.
  2. Remove any leading or trailing spaces from the lines between the Begin and End markers. A good method for doing this is to use the END key on the keyboard to detect the end of each line. If the ending character is a space or group of spaces, remove them.
  3. Remove any unusual characters or formatting symbols; o or "/par" are good examples.
  4. Ensure that the Begin and End Certificate markers are on a line to themselves. The first sample certificate above shows this case. The markers should begin with a dash; make sure that no spaces appear as the initial character.

In some instances, it has been found that the 128-bit version of ServicePack 3 provides the most stability. Windows NT domestic version ships with128-bit encryption standard; however, Windows NT Service Packs come inboth 128-bit and 40-bit versions. The 40-bit version of each Service Packis available from the Microsoft Web site at no charge. The 128-bit versionof the Service Pack must be purchased from Microsoft or downloaded fromwww.microsoft.com.

NOTE: When you generate a certificate request, it is encoded in ASN.1format. This bug causes Key Manager to create faulty ASN.1 encodings.Therefore, the certificate request created is invalid. This doesn't affectthe signing of the certificate, so the Certificate Authority does notdetect it.
STATUS
Microsoft has confirmed this to be a problem in Internet InformationServer versions 2.0, 3.0, and 4.0.
Properties

Article ID: 186796 - Last Review: 06/22/2005 20:16:46 - Revision: 3.2

  • Microsoft Internet Information Server 2.0
  • Microsoft Internet Information Server 3.0
  • Microsoft Internet Information Server 4.0
  • kbfaq kbhowto KB186796
Feedback