?
Solved

win2003 can't add certificate to website

Posted on 2005-03-14
6
Medium Priority
?
580 Views
Last Modified: 2008-02-01
Hi All

Been playing around on my test network which is 1 DC (called DC), 1 Citrix Presentation Server/TS (called citrix1), 1 citrix WI/SG box, (called WI), 1 other 2003 server (called Servaland) Domain's called sydney.  WI is the IIS webserver I'm trying to enable SSL on.

Installed a stand-alone CA on Servaland.  Following along the doc:
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
The only difference is I had issues installing an enterprise CA so I've installed a stand-alone CA on Servaland.

Used servaland as the common name for the CA.

Created a new certificate in IIS on WI server.  Gave the common name in the site as wi (pings OK) Saved the certreq.txt locally.  As expected for a stand-alone CA I only get the prepare and send later option.SS

Went to http://servaland/certsrv , from the WI server and did a certificate request, pasting in the text from the certreq.txt file.  Checked in the CA console - yes pending request from user: servaland\iusr_servaland

When I go to the cert page and look at pending there's some earlier attempts that I revoked and my current one still pending.

Whether I issue the certificate or not get the same result.

Now if I go to Download a certificate it shows Current [servaland.mel.com.au]  I downloaded that as certnew.cer to same location on WI as certreq.txt

Go to the properties of the default website on WI and try and process my pending request.  Get error "The pending certificate request for this response file was not found."

http://www.instantssl.com/ssl-certificate-support/server_faq/ssl-server-certificate-iis5.html
tells me that the problem is:

You are attempting to install a certificate that does not match the private key (Pending request) that is currently residing in the Certificate Wizard.

Any ideas how to fix this or at least where to start troubleshooting?  Do I need a root certificate as well as a server certificate?  Am I downloading the Servaland cert instead of the one I created?

Oh and just in case it has any bearing I do have an Enterprise CA running on the DC - but it didn't install correctly.

Much TIA this hurts my head.
0
Comment
Question by:ausadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 34

Accepted Solution

by:
Dave_Dietz earned 1500 total points
ID: 13549136
Try going to http://ddietz.darktech.org/certsrv and submit your certreq.txt file there and then try installing the certificate issued.

This will help determine if there may be a problem with your certificate server.

If that also fails we can try looking at problems with IIS and/or the certreq generation....

Dave Dietz
0
 

Author Comment

by:ausadmin
ID: 13584183
Thanks Dave

The cert from your site installed fine so it looks like there's a problem with my certificate server.  How do I go about troubleshooting that?
0
 

Author Comment

by:ausadmin
ID: 13584267
Just for more info I tried importing the root cert from the CA server servaland:

Went to: http://servaland/certsrv
clicked "Download a CA certificate, certificate chain, or CRL"
got page: http://servaland/certsrv/certcarc.asp

Wasn't too sure what encoding method to use here - since cert request was in base 64 I chose that.

Downloaded the CA Certificate chain as: certnew.p7b to the Wi server.

On the wi server loaded the certificates mmc (chose the mange this computer account option)

Went to Trusted Root Certificates -> certificates and imported the file.

Then had an entry which said:

Issued to                                    Issued by                                 Intended Purpose
---------------------------------------------------------------------------------------------------
servaland.mel.ketech.com.au       servaland.mel.ketech.com.au     All

Wasn't sure if I should be importing the CA Cert or the CA cert chain so I went back and imported the CA cert on the WI server.  Said the import was successful but it didn't seem to give me any other entries in the list.

I also went back to http://servaland/certsrv/certcarc.asp and clicked the option 'install this CA certificate chain' right up the top of the page.

Still get the same error.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:ausadmin
ID: 13584370
And yet more info...tried the pkiview tool out of the 2003 resourcekit - it only seems to be interested in enterprise CAs (ie. AD integrated).  I would love to know how to point it to a stand-alone CA.

Told me my Ent CA on meldc was stuffed - couldn't get any of the webpages.  Which I knew coz it won't even load http://meldc/certsrv

Not sure why this would stuff things up since I'm not using that CA for my requests.
0
 

Author Comment

by:ausadmin
ID: 13586985
Think I've found the problem

When I go into the personal certs on the Wi box I see:

Issued To                            Issued by                               Intended purpose
--------------------------------------------------------------------------------------
p-iii-450-w2k3.blah.com       same                                     server authent
servaland.blah.com                "                                                  "
wi.mel.ketech.com              Homenet Enterprise                          "

Same thing with the cert in the root authorities.  Why is servaland issuing the cert to itself instead of issuing it to wi ?
0
 

Author Comment

by:ausadmin
ID: 13677132
Points to Dave coz he replied :)

Turns out it was an AD problem in the end.  DNS registration was not working properly.  Re-did my dns and my new Enterprise CA worked.
0

Featured Post

Get MySQL database support online, now!

At Percona’s web store you can order your MySQL database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question