• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3864
  • Last Modified:

Certification renewal for OWA

Hello - We run Outlook Web Access on Exchange 2003 - SP2, Windows 2003 SP1. We have a front-end - Back-end mail configuration. We have a CA on our back-end exchange server. Our certificate for OWA just expired and I'm trying to renew it, but running into some trouble. Here's what I'm doing:

I go to our Front-end and go into IIS to Default Web site. I go into the properties of the default site and go to Directory Security, down to Server Certificate. I create the request to renew the current cert and sending it to a text file. When I go into CA to Submit a new request and select this text file, I get an error:

The Request contains no certificate template information. 0x80094801 (-2146875391). Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the CertificateTemplate request attribute.

Also, if I go into mmc and pull in the Certificates plug-in (for computers) I can see the certifcate used by the mail server. If I right click and go to renew it tells me:

You do not have permission to request a certificate based on the selected certificate template.

I've checked in certificate templates and verified my user account (administrator) and Domain computers have read/write/enroll permissions, so I'm a bit confused how I don't have access to it.

Any thoughts?

0
WPI Help
Asked:
WPI Help
  • 2
1 Solution
 
SembeeCommented:
Why are you using a home grown certificate?
You realise that you are going to have to visit all the machines with that certificate on them and replace the existing certificate?
Save yourself a lot of bother and purchase a certificate - they are $20 from GoDaddy or $60 from RapidSSL.
No certificate prompts, no certificates to install on the clients, a much easier life.
How long have you been playing around with this? How much do you spend telling the users how to install the certificate?

Simon.
0
 
WPI HelpAuthor Commented:
Simon - I've been leaning that way actually. I 'inherited' this when I started here about 1.5 years ago. It was already setup this way. I'm not sure the initial intent behind having our own CA server, since we only use a cert for OWA right now anyway.

So let me ask you this - If we did go with a 3rd party cert - would i just wipe out the expired homegrown cert and it'll give me the ability to import / insert this 3rd party cert into the site?
0
 
SembeeCommented:
You have to remove the old SSL certificate before you can create a new request. In most cases you can get a certificate in about 30 minutes, so that isn't a problem. When I have had timing issues in the past I have created a second dummy site somewhere, requested the certificate on that site, put the response in to that site, then immediately exported the certificate to a file and moved it.

Simon.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now