Problems renewing WebServer certificate

Home Forums Security General Security Problems renewing WebServer certificate

This topic contains 16 replies, has 3 voices, and was last updated by  cruachan 9 years, 9 months ago.

Viewing 17 posts - 1 through 17 (of 17 total)
  • Author
    Posts

  • cruachan
    Member
    #139099

    OK, this one’s got me beat so far and the Microsoft newsgroups are playing up.

    We are trying to renew a website certificate for one of our customers who is
    running ISA 2006 in a 2 node array. The certificate expires next week
    (18/2/09). The customer’s CA is Windows Server 2003 R2 Standard Edition.

    As the certificate is for the external FQDN and we do not have a
    corresponding IIS site internally we want to request a new certificate either
    through the web interface or using the certreq util.

    When trying to use the web interface the check box for mark keys as
    exportable is greyed out, so we can not use this as we need the matching
    private key on both nodes of the ISA array for this to work successfully.

    I then tried to do this through the command line and the process seems to
    complete successfully each time. However when the cert.pfx file created by
    exporting the newly created cer file is imported onto the ISA servers the ISA
    web listener shows the certificates as installed but with an invalid key
    type. In case this was an ISA issue we imported the file on another ISA
    server (standalone, not an array member) and received the same error from the
    certificate.

    Below is a copy of the inf file used to create the request.

    [NewRequest]
    Subject = “CN=webmail.domain.com”
    MachineKeySet = TRUE
    Exportable = TRUE

    [RequestAttributes]
    CertificateTemplate = “WebServer”

    This was imported using the command certreq -new webmail.inf
    then the request approved on the Certificate Authority.
    Then I ran certreq -accept on the cer file to link it to the private key.
    Then the cer file was exported with it’s private key as a PFX file and
    imported on both ISA nodes using the Certificates snap in.

    Any pointers as to where I’m going wrong? I’ve got until Wednesday to fix this. :smile:


    Dumber
    Member
    #199680

    Re: Problems renewing WebServer certificate

    What is the webserver? IIS? Apache?


    cruachan
    Member
    #328907

    Re: Problems renewing WebServer certificate

    It’s OWA. The trouble is that it’s setup as an active/passive cluster with one of the 2 nodes at a remote site for disaster recovery. It goes against best practice, but the communication from the ISA array to the mail cluster is HTTP and the SSL certificate is not installed on the Mail Cluster Nodes.

    This is for one of our customers and this is the way they specified setup with self signed certs, so using a purchased cert is not an option unfortunately.


    Dumber
    Member
    #199687

    Re: Problems renewing WebServer certificate

    So you use SSL to HTTP bridging? hmmm I wouldn’t like that if I found out that my company did that :)
    Anyhow, requesting a new certificate is the most simple way to do on a IIS server.
    I’ve done it a couple of times from a IIS server within vmware and moving the SSL certificate to the ISA servers.
    I think requesting a new certificate is in that case simpler then renewing it.


    cruachan
    Member
    #328908

    Re: Problems renewing WebServer certificate

    That is an option: creating a new website in IIS and then requesting the certificate from there. I’ve used the command line procedure before though and I can’t figure out why it won’t work or why you can’t mark the keys as exportable through the certsrv website.

    This was all setup before I joined the company. If it was up to me I’d sort it out so it was SSL all the way but the customer doesn’t want us to do that because it works as it is and they don’t want to pay for what they see as unneccessary changes.


    Dumber
    Member
    #199689

    Re: Problems renewing WebServer certificate

    I’d actually do it always by using IIS :)
    Works all the time for me. Nice and simple ;)

    Sadly that a company doesn’t listen to the admins, however it doesn’t matter really.
    They are the ones who should push the extra buttons for it :)


    cruachan
    Member
    #328911

    Re: Problems renewing WebServer certificate

    AAARGHHHHHHHH. :evil::mad::twisted::twisted:

    ?**!&^! Microsoft!

    I finally managed to get through to them on the Partner Newsgroups and they didn’t bother to read the question properly. Instead of answering my query about the command line method they told me not to bother and create a V2 Certificate Template, ignoring the first paragraph telling them this is a Windows Server 2003 Standard CA and doesn’t support V2 templates.

    More coffee required methinks. ;)


    Dumber
    Member
    #199697

    Re: Problems renewing WebServer certificate

    Have you already tried IIS? :roll:


    cruachan
    Member
    #328912

    Re: Problems renewing WebServer certificate

    Not so far, we want to avoid creating a new website if possible so that’s a last resort for Tuesday if we can’t renew it through the command line before then.

    The weird thing is we installed some new servers for this customer a few months back and the command line procedure worked fine then. We’re using the same template file (edited with the appropriate settings) which worked previously. The only difference is that the other domain has Windows Server 2008 DCs and CA, although the ISA array is obviously 2003 in both domains.


    Dumber
    Member
    #199698

    Re: Problems renewing WebServer certificate

    Hmmm I wouldn’t wait until the last resort.
    What if it don’t work….


    cruachan
    Member
    #328913

    Re: Problems renewing WebServer certificate

    If the newsgroups don’t come through I’ll be phoning Microsoft tomorrow and then I’ll argue the toss over paying for a call later. We had to do that last time the newsgroups played up and they gave us a free call. They’re now posting in the newsgroups admitting there are issues so I don’t see it being a problem.

    We’re reluctant to use IIS except as a last resort given the nature of the customer. They have odd requirements, and although we support their internal network they have a few MCSEs working for them on projects who occasionally check the internal setup and then report to their boss if they see anything they don’t like. We tend to do as they ask for a quiet life, and most of the time things go OK if maybe taking a little longer than the way we’d like to do things. ;)


    joeqwerty
    Moderator
    #301323

    Re: Problems renewing WebServer certificate

    If you’re a certified partner, why would you be paying for the call in the first place?


    Dumber
    Member
    #199699

    Re: Problems renewing WebServer certificate

    Well if they have MCSEs, let them fix it…
    I can’t stand such engineers.

    btw, an other option might be requesting a certificate straight from the ISA server.
    Create a rule allow localhost to internal, all outbound traffic, disable rpc strict enforcement and try it from there.


    cruachan
    Member
    #328914

    Re: Problems renewing WebServer certificate

    joeqwerty;148621 wrote:
    If you’re a certified partner, why would you be paying for the call in the first place?

    As far as I’m aware from our partner rep we get free support via the newsgroups and a certain number of calls we can log each year and that’s it. The customer is also a partner though so this call will be coming out of their allocation if it comes to that.

    Dumber:
    Don’t get me started on the attitude of this customer, they’re a nightmare at the best of times. :shock:

    Do you mean request the cert via the certificates MMC on the ISA server? If so we can only request computer certificates that way, and I get a permission denied error when I try to renew the certificate through the MMC.


    Dumber
    Member
    #199700

    Re: Problems renewing WebServer certificate

    But a computer web certificate is what you need.
    I don’t have a lab here at the moment otherwise I would test it out straight away.

    Ps, I can you also quite some nightmare stories as well ;)


    cruachan
    Member
    #328915

    Re: Problems renewing WebServer certificate

    Resolved quite quickly once I got to speak to technical support. The problem was the INF file I used to generate the request. Technet suggests that any fields not included are automatically set to the defaults, which it appears some apps, including ISA don’t like. This is the complete file for anyone else having issues, edit as appropriate. :smile:

    [Version]
    Signature=”$Windows NT$

    [NewRequest]
    Subject = “CN=website.domain.com”
    KeySpec = 1
    KeyLength = 1024
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0

    [EnhancedKeyUsageExtension]
    OID=1.3.6.1.5.5.7.3.1

    [RequestAttributes]
    CertificateTemplate=”WebServer”


    Dumber
    Member
    #199718

    Re: Problems renewing WebServer certificate

    oh man… Well I didn’t know that.
    Thanks for posting back :)

Viewing 17 posts - 1 through 17 (of 17 total)

You must be logged in to reply to this topic.