Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 602
  • Last Modified:

win2003 can't add certificate to website

Hi All

Been playing around on my test network which is 1 DC (called DC), 1 Citrix Presentation Server/TS (called citrix1), 1 citrix WI/SG box, (called WI), 1 other 2003 server (called Servaland) Domain's called sydney.  WI is the IIS webserver I'm trying to enable SSL on.

Installed a stand-alone CA on Servaland.  Following along the doc:
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
The only difference is I had issues installing an enterprise CA so I've installed a stand-alone CA on Servaland.

Used servaland as the common name for the CA.

Created a new certificate in IIS on WI server.  Gave the common name in the site as wi (pings OK) Saved the certreq.txt locally.  As expected for a stand-alone CA I only get the prepare and send later option.SS

Went to http://servaland/certsrv , from the WI server and did a certificate request, pasting in the text from the certreq.txt file.  Checked in the CA console - yes pending request from user: servaland\iusr_servaland

When I go to the cert page and look at pending there's some earlier attempts that I revoked and my current one still pending.

Whether I issue the certificate or not get the same result.

Now if I go to Download a certificate it shows Current [servaland.mel.com.au]  I downloaded that as certnew.cer to same location on WI as certreq.txt

Go to the properties of the default website on WI and try and process my pending request.  Get error "The pending certificate request for this response file was not found."

http://www.instantssl.com/ssl-certificate-support/server_faq/ssl-server-certificate-iis5.html
tells me that the problem is:

You are attempting to install a certificate that does not match the private key (Pending request) that is currently residing in the Certificate Wizard.

Any ideas how to fix this or at least where to start troubleshooting?  Do I need a root certificate as well as a server certificate?  Am I downloading the Servaland cert instead of the one I created?

Oh and just in case it has any bearing I do have an Enterprise CA running on the DC - but it didn't install correctly.

Much TIA this hurts my head.
0
ausadmin
Asked:
ausadmin
  • 5
1 Solution
 
Dave_DietzCommented:
Try going to http://ddietz.darktech.org/certsrv and submit your certreq.txt file there and then try installing the certificate issued.

This will help determine if there may be a problem with your certificate server.

If that also fails we can try looking at problems with IIS and/or the certreq generation....

Dave Dietz
0
 
ausadminAuthor Commented:
Thanks Dave

The cert from your site installed fine so it looks like there's a problem with my certificate server.  How do I go about troubleshooting that?
0
 
ausadminAuthor Commented:
Just for more info I tried importing the root cert from the CA server servaland:

Went to: http://servaland/certsrv
clicked "Download a CA certificate, certificate chain, or CRL"
got page: http://servaland/certsrv/certcarc.asp

Wasn't too sure what encoding method to use here - since cert request was in base 64 I chose that.

Downloaded the CA Certificate chain as: certnew.p7b to the Wi server.

On the wi server loaded the certificates mmc (chose the mange this computer account option)

Went to Trusted Root Certificates -> certificates and imported the file.

Then had an entry which said:

Issued to                                    Issued by                                 Intended Purpose
---------------------------------------------------------------------------------------------------
servaland.mel.ketech.com.au       servaland.mel.ketech.com.au     All

Wasn't sure if I should be importing the CA Cert or the CA cert chain so I went back and imported the CA cert on the WI server.  Said the import was successful but it didn't seem to give me any other entries in the list.

I also went back to http://servaland/certsrv/certcarc.asp and clicked the option 'install this CA certificate chain' right up the top of the page.

Still get the same error.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ausadminAuthor Commented:
And yet more info...tried the pkiview tool out of the 2003 resourcekit - it only seems to be interested in enterprise CAs (ie. AD integrated).  I would love to know how to point it to a stand-alone CA.

Told me my Ent CA on meldc was stuffed - couldn't get any of the webpages.  Which I knew coz it won't even load http://meldc/certsrv

Not sure why this would stuff things up since I'm not using that CA for my requests.
0
 
ausadminAuthor Commented:
Think I've found the problem

When I go into the personal certs on the Wi box I see:

Issued To                            Issued by                               Intended purpose
--------------------------------------------------------------------------------------
p-iii-450-w2k3.blah.com       same                                     server authent
servaland.blah.com                "                                                  "
wi.mel.ketech.com              Homenet Enterprise                          "

Same thing with the cert in the root authorities.  Why is servaland issuing the cert to itself instead of issuing it to wi ?
0
 
ausadminAuthor Commented:
Points to Dave coz he replied :)

Turns out it was an AD problem in the end.  DNS registration was not working properly.  Re-did my dns and my new Enterprise CA worked.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now