• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3641
  • Last Modified:

SBS2003 Web Server Certificate

Hi

We have SBS2003 and I'm having a problem creating the ssl certificate for use with OWA.

I have run the Connect to the Internet  Wizard (several times!)

on the Web Server Certificate screen I have selected the "create a new Web server certificate" and entered the domain name of our server (it does have an externally accessible DNS name)

It appears to run through to completion and nothing adverse is logged.

However it clearly isn't working:
- when i run OWA it doesn't download the certificate and doesn't switch to HTTPS - I have checked the config of the HTTP connector in Exchange and the settings in IIS - all appear ok.
- if i rerun the Connect to the Internet Wizard again it doesn't display the existing cerificate and the option to choose "do not change current server certificate"  

Is there another method to create the certificate?

Any ideas on what the problem is?

Thanks
0
mtxit
Asked:
mtxit
  • 5
  • 2
  • 2
1 Solution
 
Irwin SantosComputer Integration SpecialistCommented:
You either need to purchase a certificate or use Microsoft's SelfSSL certificate.
0
 
Irwin SantosComputer Integration SpecialistCommented:
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en
Download and install the II6 resource kit..follow the instructions for "self SSL"
0
 
mtxitAuthor Commented:
Hi
Thanks for the fast response.

I've downloaded and run the selfssl tools and get the following

Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.

Installs self-signed SSL certificate into IIS.
SELFSSL [/T] [/N:cn] [/K:key size] [/S:site id] [/P:port]

/T               Adds the self-signed certificate to "Trusted Certificates"
                 list. The local browser will trust the self-signed certificate
                 if this flag is specified.
/N:cn            Specifies the common name of the certificate. The computer
                 name is used if not specified.
/K:key size      Specifies the key length. Default is 1024.
/V:validity days Specifies the validity of the certificate. Default is 7 days.
/S:site id       Specifies the id of the site. Default is 1 (Default Site).
/P:port          Specifies the SSL port. Default is 443.
/Q               Quiet mode. You will not be prompted when SSL settings are
                 overwritten.

The default behaviour is equivalent with:

selfssl.exe /N:CN=RSL-W231 /K:1024 /V:7 /S:1 /P:443

C:\Program Files\IIS Resources\SelfSSL>selfssl /T /N:mail.ourdomain.co.uk
Microsoft (R) SelfSSL Version 1.0
Copyright (C) 2003 Microsoft Corporation. All rights reserved.

Do you want to replace the SSL settings for site 1 (Y/N)?y
Failed to build the subject name blob: 0x80092023

C:\Program Files\IIS Resources\SelfSSL>


Any thoughts??
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Irwin SantosComputer Integration SpecialistCommented:
let's back this up a bit...

Read the following:
http://support.microsoft.com/kb/313624/en-us

AND here is an ICESOFTWARE solution from PAQ

--------------
Hi there everybody!

I had the same problem and here is what I found out.

You can download IIS 6.0 Resource Kit Tools from:

http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&displaylang=en

Just create a virtual site (or use one that you already have) setting it up for SSL. Basicly, you have to set the SSL Port to 443 in the mmc that manage IIS 6.0 and then go to the Directory Security tab and enable the use of the SSL channel (I advice to require 1024 bits encryption).
At this point you if you installe the IIS 6.0 resource kit, you should have a new menu entry called IIS resources (in your start menu->Programs). You need to use a tool called: IIS Metabase Explorer. Go to LM->W3SVC and select the items on the left (especially those with big numbers) to see on the right a description of them and find your virtual site. The big number is the ID of the site (if you instead wants to use the default site the ID is always 1). At this point, suppose the site has ID=1088768498 you have to issue:

SelfSSL /N:CN=yoursite.yourdomain.com /V:365 /S:1088768498

where:

/N:CN is the name of your site on the internet (or LAN)
/V: sets the number of days before the new certify expires
/S: is the ID we found

That's it the site is now operative and ready to go.

0
 
mtxitAuthor Commented:
Thanks

I was missing the "cn="

The cert is now installed - and looks ok when I view it.

However - OWA still doesn't download the certificate or switch to SSL

Any more thoughts??
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You DON'T need to go through all of that... the CEICW creates a valid self-signed certificate.

I've rarely had trouble with them... so why don't you just look and see if it exists first before going through all that mess.

First, check to see if Remote Web Workplace is working by going to https://servername.domain.com/remote

If that works, then you have modified something on the OWA site's security settings.  If it doesn't work, you need to find all the certificates that may be lurking around in your IIS and remove them so you don't have multiple copies.

Jeff
TechSoEasy
0
 
Irwin SantosComputer Integration SpecialistCommented:
howz port 443?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Oh, yeah... that too!  :-)  

These are the ports that should be open on your router, based on your needs.  If you have UPnP enabled on the router, the CEICW will automatically configure them.

25 - SMTP
443 - HTTPS (for RWW and OWA)
444 - SharePoint
1723 - PPTP VPN
3389 - RDP for remote administration
4125 - Remote Web Workplace


Jeff
TechSoEasy
0
 
Irwin SantosComputer Integration SpecialistCommented:
cool. thank you!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now