Announcement

Collapse
No announcement yet.

Problems with Certificates in Windows 2003

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problems with Certificates in Windows 2003

    Hello All,

    I inherited a Windows 2003 CA, setup by someone else. I'm wanting to setup RPC over HTTPS for my remote users, and when I tried to use the same Cert that we have been using for OWA... I came across a problem. The common name doesn't match the external FQDN of my exchange server... and I can't negotiate the connection.

    So what do I do? According to some technet documents.. I should be using the Web interface to do it. Problem is.. the web interface doesn't seem to exist. should be http://servername/certserv on your CA, which in this case is also my main DC. But that URL doesn't work.. so I'm shit up a creek without a paddle.

    I need to create a new cert with the correct info, so that RPC over HTTPS will work. Help?

    Note: This is Windows Server 2003 R2 Enterprise
    Last edited by AndrewR; 10th July 2007, 15:58. Reason: added more information

  • #2
    Re: Problems with Certificates in Windows 2003

    This issue with home grown certificates and RPC over HTTPS has been posted many times in the Exchange Forum. The last post is probably the most pertinent. http://forums.petri.com/showthread.php?t=16807
    1 1 was a racehorse.
    2 2 was 1 2.
    1 1 1 1 race 1 day,
    2 2 1 1 2

    Comment


    • #3
      Re: Problems with Certificates in Windows 2003

      So.. by the looks of things... that's my only option huh?

      Hmm.. well, I figured it might be, but I was hoping not.

      That still doesn't fix the puzzling problem of http://servername/certserv not being present. Shouldn't that have been created when the CA component was installed? If I uninstall and reinstall the CA component... am I going to have recreate the certs?

      Comment


      • #4
        Re: Problems with Certificates in Windows 2003

        so you can't enter /certsrv ? if you open inetmgr.exe you will not see that virtual directory certsrv, and that's because when the CA installed, it's installed before add the IIS components on the system, so just issue this command on the CA/IIS server and will create your virtual directory, make the required share, and enable ASP.net extensions

        C:\certutil -vroot
        Web Virtual Root Already Exists
        Active Server Pages (ASP) already enabled
        File Share Already Exists
        CertUtil: -vroot command completed successfully.

        if you plan to uninstall the CA, all issued certificate will be invalid, other wise you export the PFX of your root, and create a new CA with the old private key

        check this article for more info
        http://support.microsoft.com/kb/298138

        Comment


        • #5
          Re: Problems with Certificates in Windows 2003

          Excellant response Dr. Kernel

          Thumbs up!!

          Michael
          Michael Armstrong
          www.m80arm.co.uk
          MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

          Comment


          • #6
            Re: Problems with Certificates in Windows 2003

            Doc,

            Thanks. that seems to have created the shares / enabled the active server pages. But it doesn't seem to have enabled me to view the page http://servername/certserv/

            The files are there... thems just ain't being discovered by IIS.

            I went so far as to restart IIS, and that didn't make a lick of difference. Still can't view that page.

            Hmm.. on a different IIS server.. I'm having a similar issue. I installed WSUS 3.0, which also includes a selfupdate page.. and that too is not working, despite the directories etc existing. Hmm.. any ideas?

            Comment


            • #7
              Re: Problems with Certificates in Windows 2003

              Thanks m80arm !

              Originally posted by AndrewR View Post
              Doc,

              Thanks. that seems to have created the shares / enabled the active server pages. But it doesn't seem to have enabled me to view the page http://servername/certserv/

              The files are there... thems just ain't being discovered by IIS.

              I went so far as to restart IIS, and that didn't make a lick of difference. Still can't view that page.

              Hmm.. on a different IIS server.. I'm having a similar issue. I installed WSUS 3.0, which also includes a selfupdate page.. and that too is not working, despite the directories etc existing. Hmm.. any ideas?
              services.msc ? did you checked the CA, IISadmin and WWW services are started ? can you open the inetmgr ? can you see the /certsrv ? can you open certificate authority console ? what is the error you recieve ? can you see certsrv in the application pool ?can you see this in Inetmgr ? http://picshome.com/v2/download.php?id=BF5859071
              go to %windir%system32\CertSrv and tell me if you see anything there

              you can Migrate it to the new IIS server that hold the WSUS but you have to change the listenig port for the CA or the WSUS websites, beware that if you migrate the CA it will require some registery modifications, try to fix it before

              Comment


              • #8
                Re: Problems with Certificates in Windows 2003

                Originally posted by Dr.Kernel View Post
                Thanks m80arm !



                services.msc ? did you checked the CA, IISadmin and WWW services are started ? can you open the inetmgr ? can you see the /certsrv ? can you open certificate authority console ? what is the error you recieve ? can you see certsrv in the application pool ?can you see this in Inetmgr ? http://picshome.com/v2/download.php?id=BF5859071
                go to %windir%system32\CertSrv and tell me if you see anything there

                you can Migrate it to the new IIS server that hold the WSUS but you have to change the listenig port for the CA or the WSUS websites, beware that if you migrate the CA it will require some registery modifications, try to fix it before
                OK. One at a time:

                Services.msc - All 3 services are started and running.
                Inetmgr - Yes, I can open it. Yes, I can see the /certsrv share (as shown in the image) I can also see the what you showed me in the image.

                CA Console - Yep. It's there, and I can open it.

                %windir%\system32\CertSrv - I see a total of 30 objects (2 folders, one of them shared, and 28 files)

                I wasn't planning on Migrating the CA page to a new server... it's not in my best interests. I just noticed that it seems to be a similar problem on that one as well... which leads me to believe that perhaps the problems may be related.

                I get a "File not found" error when I try and open http://servername/certserv/ , or even http://servername/certsrv/ ... Ideas?

                Comment


                • #9
                  Re: Problems with Certificates in Windows 2003

                  sorry man for late, but these days are 100% busy time

                  i think you have to back up your CA, uninstall it, then install another one with the same name and same directories, then restore it, it will be fine then

                  http://www.google.com/search?q=backu...ient=firefox-a


                  and tell me updates

                  Comment

                  Working...
                  X