Announcement

Collapse
No announcement yet.

[Sbs2k3.Std]Issue a Certificate With multiple CN

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [Sbs2k3.Std]Issue a Certificate With multiple CN

    hello

    I have to setup a remote pda sync from my sbs2k3 standard box to some nokia E65 mobile phones.

    The setup of the application on the mobile's worked successfully ( mail4exchange installed and configured ), but when i try to import the certficate issued by the server , i cannot import.

    After some research, it seems that the Symbian OS installed on the nokias, cannot support multiples CN on a certificate it only accept the first CN on the certificate skipping the others, the first CN on the certificate it's the local name of the server: Server01.Domain.local, after this first CN i have webmail.ExtDomain.com, Server01.ExtDomain.com.

    If i browse the OWA\OMA website via mobile, it says that the certificate is not secure since the public name isn't correct (SERVER01.domain.local where it shoould be webmail.Extdomain.com), but i can continue surfing the oma page after answering "continue" on the certificate question.

    The certificate applied to the default website (where OWA\OMA websites resides) has been created from the sbs2k3 server some years ago, the CA service has been unistalled after issuing that certificate ( i dont know why\who removed the service from the server ).

    I've re-installed the CA service on the server, so i can issue any certificate that i need to.

    I'm thinking on issuing a new certificate for the webmail\oma services, with all the CN that i need: webmail.extdomain.com, webmail.domain.local, server01.esxtdomain.com, server01.domain.local

    Doing so, i think that the owa \ oma services gonna work without any issue ( from both local \ external sides ).

    But HOW i can do this ? issuing a multiple CN certificate, backing up the old one.


    Thanks in advance

  • #2
    Re: [Sbs2k3.Std]Issue a Certificate With multiple CN

    I have done this for several Nokia's. You can try by using the original SBS Self-signed cert created by the wizard, Open IIS Manager, go to the Default Web Site properties/ Directory Security/View Certificate. from the Details tab you can export the certificate and try to install that on your Nokia. If that doesn't work, Install the CA (Certificate Authority) on the server. Backup the IIS Metabase (always a good idea), remove the existing certificate. Create a new one and repeat the procedure above to export the certificate, and install it on the phone.
    HTH
    TIA

    Steven Teiger [SBS-MVP(2003-2009)]
    http://www.wintra.co.il/
    sigpic
    Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

    We donít stop playing because we grow old, we grow old because we stop playing.

    Comment


    • #3
      Re: [Sbs2k3.Std]Issue a Certificate With multiple CN

      Thanks for the reply.

      These are the exact steps that i've taken to copy the certificate from my running IIS to the nokias. ( except the re-associations of a new certificate on the default website )

      When i select the "copy to file" button on the details of the current certificate, i exported the certificate as DER format without the private key, doing this i get a .CER file.

      But when i try to import this .cer file on the mobiles, it says that the file is not supported, browsing around the net it says that's a bug on the symbian os, and i can import to my phone using a webserver with mime modified attribute.

      I've tried uploading the cert. to a webserver, browsing with the mobile i can import on the phone, but the order of the CN is messed up.

      1st CN: server01.domain.local
      2nd CN: webmail.extdomain.com
      3rd CN: server01.extdomain.com

      I think that the phones need the external dns name as 1st CN to work properly.
      If it so, i need to reisssue a new certificate with the correct CN order ( and how do i select the correct CN order ? ) and associate it to the default website?

      Comment


      • #4
        Re: [Sbs2k3.Std]Issue a Certificate With multiple CN

        It should have only one name and be according to your FQDN that you use to navigate to OWA etc.
        TIA

        Steven Teiger [SBS-MVP(2003-2009)]
        http://www.wintra.co.il/
        sigpic
        Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

        We donít stop playing because we grow old, we grow old because we stop playing.

        Comment


        • #5
          Re: [Sbs2k3.Std]Issue a Certificate With multiple CN

          http://support.microsoft.com/kb/931351/en-us

          This allow to set-up multiple Subject Alternative Names ( multples dns names )

          Now i've issued the new cert to my iis default website ( owa \ oma ), and then i need to import that on the nokia's.

          Comment


          • #6
            Re: [Sbs2k3.Std]Issue a Certificate With multiple CN

            I stick to the Keep It Simple, Steven (KISS) method. One name - as per FQDN
            TIA

            Steven Teiger [SBS-MVP(2003-2009)]
            http://www.wintra.co.il/
            sigpic
            Iím honoured to have been selected for the SMB 150 list for 2013. This is the third time in succession (no logo available for 2011) that I have been honoured with this award.

            We donít stop playing because we grow old, we grow old because we stop playing.

            Comment

            Working...
            X