Announcement

Collapse
No announcement yet.

Problems renewing WebServer certificate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problems renewing WebServer certificate

    OK, this one's got me beat so far and the Microsoft newsgroups are playing up.

    We are trying to renew a website certificate for one of our customers who is
    running ISA 2006 in a 2 node array. The certificate expires next week
    (18/2/09). The customer's CA is Windows Server 2003 R2 Standard Edition.

    As the certificate is for the external FQDN and we do not have a
    corresponding IIS site internally we want to request a new certificate either
    through the web interface or using the certreq util.

    When trying to use the web interface the check box for mark keys as
    exportable is greyed out, so we can not use this as we need the matching
    private key on both nodes of the ISA array for this to work successfully.

    I then tried to do this through the command line and the process seems to
    complete successfully each time. However when the cert.pfx file created by
    exporting the newly created cer file is imported onto the ISA servers the ISA
    web listener shows the certificates as installed but with an invalid key
    type. In case this was an ISA issue we imported the file on another ISA
    server (standalone, not an array member) and received the same error from the
    certificate.

    Below is a copy of the inf file used to create the request.

    [NewRequest]
    Subject = “CN=webmail.domain.com”
    MachineKeySet = TRUE
    Exportable = TRUE

    [RequestAttributes]
    CertificateTemplate = “WebServer”

    This was imported using the command certreq -new webmail.inf
    then the request approved on the Certificate Authority.
    Then I ran certreq -accept on the cer file to link it to the private key.
    Then the cer file was exported with it's private key as a PFX file and
    imported on both ISA nodes using the Certificates snap in.

    Any pointers as to where I'm going wrong? I've got until Wednesday to fix this.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

  • #2
    Re: Problems renewing WebServer certificate

    What is the webserver? IIS? Apache?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Problems renewing WebServer certificate

      It's OWA. The trouble is that it's setup as an active/passive cluster with one of the 2 nodes at a remote site for disaster recovery. It goes against best practice, but the communication from the ISA array to the mail cluster is HTTP and the SSL certificate is not installed on the Mail Cluster Nodes.

      This is for one of our customers and this is the way they specified setup with self signed certs, so using a purchased cert is not an option unfortunately.
      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
      sigpic
      Cruachan's Blog

      Comment


      • #4
        Re: Problems renewing WebServer certificate

        So you use SSL to HTTP bridging? hmmm I wouldn't like that if I found out that my company did that
        Anyhow, requesting a new certificate is the most simple way to do on a IIS server.
        I've done it a couple of times from a IIS server within vmware and moving the SSL certificate to the ISA servers.
        I think requesting a new certificate is in that case simpler then renewing it.
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Problems renewing WebServer certificate

          That is an option: creating a new website in IIS and then requesting the certificate from there. I've used the command line procedure before though and I can't figure out why it won't work or why you can't mark the keys as exportable through the certsrv website.

          This was all setup before I joined the company. If it was up to me I'd sort it out so it was SSL all the way but the customer doesn't want us to do that because it works as it is and they don't want to pay for what they see as unneccessary changes.
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          sigpic
          Cruachan's Blog

          Comment


          • #6
            Re: Problems renewing WebServer certificate

            I'd actually do it always by using IIS
            Works all the time for me. Nice and simple

            Sadly that a company doesn't listen to the admins, however it doesn't matter really.
            They are the ones who should push the extra buttons for it
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Problems renewing WebServer certificate

              AAARGHHHHHHHH.

              ?**!&^! Microsoft!

              I finally managed to get through to them on the Partner Newsgroups and they didn't bother to read the question properly. Instead of answering my query about the command line method they told me not to bother and create a V2 Certificate Template, ignoring the first paragraph telling them this is a Windows Server 2003 Standard CA and doesn't support V2 templates.

              More coffee required methinks.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: Problems renewing WebServer certificate

                Have you already tried IIS?
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Problems renewing WebServer certificate

                  Not so far, we want to avoid creating a new website if possible so that's a last resort for Tuesday if we can't renew it through the command line before then.

                  The weird thing is we installed some new servers for this customer a few months back and the command line procedure worked fine then. We're using the same template file (edited with the appropriate settings) which worked previously. The only difference is that the other domain has Windows Server 2008 DCs and CA, although the ISA array is obviously 2003 in both domains.
                  BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                  sigpic
                  Cruachan's Blog

                  Comment


                  • #10
                    Re: Problems renewing WebServer certificate

                    Hmmm I wouldn't wait until the last resort.
                    What if it don't work....
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Problems renewing WebServer certificate

                      If the newsgroups don't come through I'll be phoning Microsoft tomorrow and then I'll argue the toss over paying for a call later. We had to do that last time the newsgroups played up and they gave us a free call. They're now posting in the newsgroups admitting there are issues so I don't see it being a problem.

                      We're reluctant to use IIS except as a last resort given the nature of the customer. They have odd requirements, and although we support their internal network they have a few MCSEs working for them on projects who occasionally check the internal setup and then report to their boss if they see anything they don't like. We tend to do as they ask for a quiet life, and most of the time things go OK if maybe taking a little longer than the way we'd like to do things.
                      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                      sigpic
                      Cruachan's Blog

                      Comment


                      • #12
                        Re: Problems renewing WebServer certificate

                        If you're a certified partner, why would you be paying for the call in the first place?

                        Comment


                        • #13
                          Re: Problems renewing WebServer certificate

                          Well if they have MCSEs, let them fix it...
                          I can't stand such engineers.

                          btw, an other option might be requesting a certificate straight from the ISA server.
                          Create a rule allow localhost to internal, all outbound traffic, disable rpc strict enforcement and try it from there.
                          Marcel
                          Technical Consultant
                          Netherlands
                          http://www.phetios.com
                          http://blog.nessus.nl

                          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                          "No matter how secure, there is always the human factor."

                          "Enjoy life today, tomorrow may never come."
                          "If you're going through hell, keep going. ~Winston Churchill"

                          Comment


                          • #14
                            Re: Problems renewing WebServer certificate

                            Originally posted by joeqwerty View Post
                            If you're a certified partner, why would you be paying for the call in the first place?
                            As far as I'm aware from our partner rep we get free support via the newsgroups and a certain number of calls we can log each year and that's it. The customer is also a partner though so this call will be coming out of their allocation if it comes to that.

                            Dumber:
                            Don't get me started on the attitude of this customer, they're a nightmare at the best of times.

                            Do you mean request the cert via the certificates MMC on the ISA server? If so we can only request computer certificates that way, and I get a permission denied error when I try to renew the certificate through the MMC.
                            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                            sigpic
                            Cruachan's Blog

                            Comment


                            • #15
                              Re: Problems renewing WebServer certificate

                              But a computer web certificate is what you need.
                              I don't have a lab here at the moment otherwise I would test it out straight away.

                              Ps, I can you also quite some nightmare stories as well
                              Marcel
                              Technical Consultant
                              Netherlands
                              http://www.phetios.com
                              http://blog.nessus.nl

                              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                              "No matter how secure, there is always the human factor."

                              "Enjoy life today, tomorrow may never come."
                              "If you're going through hell, keep going. ~Winston Churchill"

                              Comment

                              Working...
                              X