The SSL Diagnostics utility helps troubleshoot problems for SSL-enabled Web sites. It is particularly useful for identifying configuration problems in the Internet Information Services (IIS) metabase, certificates, or certificate stores. You can run this tool using the GUI interface or set it up to run silently and just write the information to a log file.
Key features of the SSL Diagnostics tool include:
- Certificate Creator: This feature lets admins replace existing server certificates with self-signed server certificates generated by SSL Diagnostics. The functionality is available with IIS 5.0, IIS 5.1 and IIS 6.0. Certificate Creator does not delete your existing certificates, but temporarily replaces the current certificate with a self-signed certificate. When testing is complete, an administrator can restore the original certificate back into IIS.
Certificate Creator can help you determine if your SSL problems are related to your Windows server certificate, as well as detect problems with certificates purchased from third-party certification authorities. If SSL works with the self-signed certificate but did not work with the other certificate, it's surely a certificate problem. If SSL does not work with the self-signed certificate or the other certificate, it's not a certificate problem. You can then restore the original certificate, which automatically removes the self-signed one.
- SSL handshake: SSL Diagnostics lets admins quickly simulate an SSL connection between a Windows server and Web browser. This is known as an SSL handshake. When implemented, SSL Diagnostics opens a new window that shows the connection information from the client's point of view, meaning the information the Web browser receives. If there is a problem with the SSL handshake, a warning will appear that describes the problem. This feature helps determine where the connection is breaking down during the SSL handshake process. You can simulate an SSL handshake at the Web-site or Web-page level.
- Client Certificate Monitor: You can use SSL Diagnostics to monitor the usage of client certificates in real time by attaching to the associated process where the encryption and decryption takes place. As the certificate information is being parsed by the server, Client Certificate Monitor displays both the client certificates that are trying to connect to your Web site and the associated information contained in those certificates. Client Certificate Monitor also shows the error codes associated with the result of the SSL server settings and client certificates. So Client Certificate Monitor displays both valid certificates and the reasons for invalid certificates, including expired, not yet valid, or revoked client certificates.
Although useful, Client Certificate Monitor requires some real-time interaction with the server processes. Because of the impact it can have on performance, using it is not recommended on a production server. After using Client Certificate Monitor, you should restart the server.
When you go to Programs -> IIS Diagnostics -> SSL Diagnostics to open the program, the utility will begin a diagnostic scan of the server on which you are running it. In the results section, just highlight the line entry you wish to research (especially those with red exclamation points) and SSL Diagnostics will give you the issue's explanation and possible fixes to correct the problem.
Inside the IIS Diagnostics Toolkit
How to install the Microsoft IIS Diagnostics Toolkit
How to use SSL Diagnostics 1.0
How to use Authentication and Access Control Diagnostics (AuthDiag) 1.0
How to use Exchange Server SMTP Diagnostics 1.0
How to use Log Parser 2.2
How to use WFetch 1.4
How to use Trace Diagnostics
How to use Debug Diagnostics 1.0
About the author: Tim Fenner (MCSE, MCSA: Messaging, Network+ and A+) is a senior systems administrator who oversees a Microsoft Windows, Exchange and Office environment. He is also an independent consultant who specializes in the design, implementation and management of Windows networks.