After installing SQL Server Reporting Services (SSRS), are you receiving an Error 404, Error 400, “Invalid Request” error, or “Bad Connection” error on first visiting the SSRS web portal (the error message seems to vary based on version, browser, and whether accessing via http/https or /reports vs /reportserver) ?

I’ve run into this a few times so I’m listing the steps I’ve used to fix it.  For me, the root cause of this error has been the SSRS Configuration Wizard automatically configuring SSRS to use HTTPS, but assigning an invalid machine SSL Certificate.  The fix is to self-generate a new and valid SSL certificate for the SSRS website to use.  The below steps are done on the machine running the SSRS web portal:

Download and Install SSL Certificate Creation Tools

The first set of steps will download the free MakeCert.exe utility, which can be used to create a Root Certificate and a Machine Certificate.

  1.  Most of the work in creating and installing a new certificate is done using the Microsoft command-line utility, makecert.exe.  This utility is available via a couple of different sources, one of which is the Windows Software Development Kit (SDK).  The version of the Windows SDK doesn’t matter too much…I recommend the Windows 8.1 version so the installation options will be the same.
  2.  Download the Windows 8.1 SDK from Microsoft here and select only the first checkbox, which includes Tools, which includes the MakeCert.exe utility.
  3. Once installation completes, verify you can find the tool.  The default location is C:\Program Files (x86)\Windows Kits\8.1\bin\x64

Download the Windows Software Development Kit to get the installer for the makecert.exe utility.

 

Install to the default Installation Path.

 

Choose the Windows Software Development Kit option. The others aren’t needed.

 

After installation, verify you can find the makecert.exe file. By default it will be located in C:\Program Files (x86)\Windows Kits\8.1\bin\x64.

Generate and Install a New Root Certificate

The next set of steps will use the MakeCert.exe to generate a new local Root Certificate.

1.  Run the following command to generate a certificate file.  In this example, replace MYCOMPUTER with your computer’s name (you can find your computer’s name by running the “hostname” command at a command prompt.  It is important that the computer name be correct (this will be the name that is eventually used in the browser address bar, ie https://MYCOMPUTER/Reports ).  The below command will generate a Certificate file and save it in C:\Temp.

makecert.exe -n “CN=MYCOMPUTER-Root” -r -pe -a sha512 -len 4096 -cy authority -sv C:\Temp\LP-S100821-Root.pvk C:\Temp\MYCOMPUTER-Root.cer

 

2.  Next, run the following command to convert the certificate file into a PFX certificate file.  This will also set a password on the file, password123!  (set to whatever you wish — this password will be used again in later steps)

pvk2pfx.exe -pvk C:\Temp\MYCOMPUTER-Root.pvk -spc C:\Temp\MYCOMPUTER-Root.cer -pfx C:\Temp\MYCOMPUTER-Root.pfx -po password123!

 

3.  Now, the newly created Root Certificate can be imported to your computer’s certificate store.  To do this, in Windows, go to Start and bring up the Run command and run the command “mmc”

Run the “mmc” command from the Windows “run” menu.

4.  From the top File menu, choose Add/Remove Snap-ins and find the Certificates item and press the middle Add button.  When prompted as to which type, choose Computer Account.

Choose Certificates from the Add/Remove Snap-ins menu and select Computer Account.

 

5.  Expand the section named Trusted Root Certification Authorities and then right click on the Certificates item.  Click on All Tasks and then select the Import… menu item.  The Certificate Import Wizard will now start.  Proceed through the wizard and on the File to Import page, choose the .pfx file created in the previous MakeCert.exe step.

When prompted, use the password set previously and also check the box to Mark the Certificate as Exportable.

Once the wizard completes, you should see the newly imported Root Certificate in Trusted Root Certification Authorities -> Certificates, in the long list of certificates (listed by the previously specified computer name.

Import the PFX root certificate file via the Certificate Import Wizard.

 

Generate and Install a New Machine Certificate

The next set of steps will use the MakeCert.exe to generate a new Machine Certificate, based off the Root Certificate created in the previous step.

1.  Use the MakeCert.exe to generate a new certificate based on the Root Certificate previously created.  The below computer will create a certificate for a computer named MYCOMPUTER, using C:\Temp to store the files temporarily, and valid for a 5 year period.

makecert.exe -n “CN=MYCOMPUTER” -iv C:\Temp\MYCOMPUTER-Root.pvk -ic C:\Temp\MYCOMPUTER-Root.cer -pe -a sha512 -len 4096 -b 2/1/2017 -e 02/01/2022 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -sv C:\Temp\MYCOMPUTER.pvk C:\Temp\MYCOMPUTER.cer -sr LocalMachine -ss My

 

2.  Next, use the pvk2pfx.exe utility to convert the created certificate file to a PFX certificate file with the previously used password for the secret key.

pvk2pfx.exe -pvk C:\Temp\MYCOMPUTER.pvk -spc C:\Temp\MYCOMPUTER.cer -pfx C:\Temp\MYCOMPUTER.pfx -po password123!

 

3.  With the PFX certificate file created, it is now time to import it into the computer’s certificate store.  As before, run the MMC command from the Windows Start -> Run dialog.  Add the Certificates control panel and choose to do so for the Local Computer account.

Next, expand the Personal section and right-click on Certificates and choose All Tasks -> Import…  Locate the C:\Temp\MYCOMPUTER.pfx file created in the above step and complete the import wizard.  Provide the password when prompted and make sure to Mark the Certificate as Exportable.

After completing the wizard, you should see the newly imported certificate in the Personal -> Certificates section.  You should be able to view the certificate and, on the General screen, see “You have a private key that corresponds to this certificate.” and on the Certification Path page, see “This Certificate is ok.”  If you don’t see these, as in the below screenshot, repeat the Root and Computer certificate creation process until you do.

 

When viewing the certificate in the Personal store, you should see “You have a private key that corresponds to this certificate.”

When viewing the certificate in the Personal store, you should see “This certificate is OK.”

 

 

Add the New Certificate to SSRS

The next set of steps will use the MakeCert.exe to generate a new Machine Certificate, based off the Root Certificate created in the previous step.

1.  Run the Reporting Services Configuration Manager via the shortcut in the Configuration Tools folder of the SQL Server program start menu folder.

2.  In the Web Service URL section,   if you already have an SSL Certificate listed in the SSL Certificate section, use the SSL Certificate dropdown to select the newly created certificate (it will be the  name of your computer).  If necessary, the Advanced… button can be used to remove any existing entries .  Apply changes.

 

Set the Web Service URL to use your newly created Machine Certificate.

3.  In the Report Manager URL (or Web Portal URL for SQL 2016) section, use the Advanced button.  In the bottom section of the Advanced dialog, there should be an entry for port 443 that uses your newly created certificate.  Add this new entry if necessary.

Use the Advanced button to manipulate the SSL Certificates applied in the Report Manager URL section.

 

Ensure an entry exists in the lower section (on port 443 by default) using your newly created Machine Certificate.

4.  After saving changes, it’s a good idea to restart the Reporting Services service via the Services console or SQL Configuration Manager.

 

 

Completion / Testing

If everything was done correctly, you should now be able to go to http://MYCOMPUTER/Reports in a browser and see the Report Manager web page.   If for some reason you still receive an error, sometimes you have to play with the final steps, and add/remove the certificate from the Web Service URL and Report Manager URL in the Reporting Services Configuration Manager Utility.

 

Success! The Reporting Services website using the new locally installed machine certificate.