• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 543
  • Last Modified:

3rd party SSL Certs install

Hi Experts,

I am fairly new to SSL implimentations, so please bear with me. My basic situation, is I have a Windows Mobile 5 device, with push technology/active sync, and I want to enable secure communications with my server. I tried to use self certs, but for whatever reason the WM5 device refused to connect. I then configured the default website/activesync to not use ssl, and everything worked fine, albiet somewhat insecurely. So, I managed to find a cheap ssl CA (godaddy.com) who supplied a cheap cert for me to use. The WM5 already has this cert in the root certs, so no extra config needs to be done there, which is great. I have applied the new cert to the server.

However, when I generated the request, the common name for the cert had to be the external domain name i.e: mail.mydomain.com - so I am secure from an external point of view. My question is, seeing that my internal SBS server is not called mail.mydomain.com - but mailserver.mydomain.local - how do I set my device to be able to sync when connected locally to the network, and sync securely over the internet? Would I need two different certs with differing common names? How would I add two certs to the website? I cannot change ssl settings and activesync settings anytime, I want to leave the office and vice versa surely?

I know I may be missing something pretty obvious, so your help would be greatly appreciated.

Cheers,
ZM
0
zimboman
Asked:
zimboman
  • 3
  • 3
  • 2
1 Solution
 
RhodanCommented:
I have the exact same problem as you, and I was about to post the same question.

I'm not using a 3rd party cert, I want to use a self signed one. Is there anyway you can use an IP address instead of a FQDN ?
0
 
zimbomanAuthor Commented:
I got the ssl part working eventually - I was able to browse the OWA from an external PC, with no popups - all ok. But the WM5 WILL NOT connect, always saying I have an invalid certificate - even though my 3rd party root certificate is installed...

I read somewhere that the virtual websites need ssl turned OFF, and reconfigured authentication methods, so I followed those instructions, and now my OWA is not working, soo... I am VERY frustrated at this point, it looks like I need to recreate all the IIS virtual directories from scratch to recover the default settings

BTW Rhodan, try to ping your external FQDN from your PC, if you receive replies, I think you can just configure Activesync with your external domain name - this worked for me, when I was not using SSL
0
 
RhodanCommented:
My OWA works perfectly externally.

The problem is that I do not have an external FQDN. I want to use our external IP address, which we use to access OWA. This is the cause of the problem, as the mobile device refuses to connect to the external IP, I think it's because the SSL certificate has the INTERNAL FQDN in it.

Any idea's, besides turning off SSL ?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
There's a complete how-to that you can download from here:  http://go.microsoft.com/fwlink/?LinkId=62797

Jeff
TechSoEasy
0
 
RhodanCommented:
Jeff,

I have downloaded and followed that white paper previously, up until the point I am at now. The white paper does not explain much with regards to using a self signed SSL or how to set it up the way we need.

As I said above in previous posts, the problem is with the SSL certificate, in that it uses the internal FQDN, which doesn't help when you are trying to connect with a mobile device from outside the network.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If you downloaded and followed that paper previously, then I would suspect it was before last week when the paper was updated to version 2.  

I am quite aware of the issues with self signed certificates, as I have deployed a fair amount of SBS/Windows Mobile 5/Activesync systems, and wouldn't have posted the link to this paper alone if I didn't think it answered zimboman's question.

The SSL certificate, if created properly with the Configure Email and Internet Connection Wizard (CEICW) actually has 5 names on it which are valid:

CN = sbs.domain.com
CN = companyweb
CN = sbs
CN = localhost
CN = sbs.domain.local

These can be reviewed by viewing the certificate's "details" and then clicking on "issuers"

If you don't have a FQDN, then on the certificate screen of the CEICW you should insert your external static IP address which will be added to the SSL certificate.  (However, I don't quite understand why you wouldn't register a domain name since that's much easier for folks to remember for other remote applications).

Jeff
TechSoEasy
0
 
zimbomanAuthor Commented:
It works!
I am not exactly sure what I did though... but I will try.

The initial problem I had with the Self signed certs was carried over to when I used 3rd party. Some of the virtual domains were configured to use ssl, which they are NOT supposed to be. That was causing my certificate invalid message easrlier on.

I then sorted that out, but at the same time screwed around with the Authorisation settings on the virtual domains, which gave me another error - based on instructions from another site. I managed to find some other postings by Jeff (Tech SO Easy) that pointed me in the right direction and managed to configure these ok. (Jeff if you could repost the link here, to the vitual website's correct config's - it would be most appreciated)

Rhodan on your issue, what I have done, is created a free static virtual domain (dyndns.org) that points to my external IP address. Create a self signed cert for this FQDN. I have then, in the hosts file of the PC that I use to Sync up, added the  DYNDNS domain name - to point to the local IP address of the server. As I said I have done SO much tinkering I am not 100% sure that works, but it is how I am set up at the moment, and it seems to work.

Thanks Jeff for the help.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, if I had any idea which site or which article you were referring to I'd be happy to post the info.  (I've probably posted over 5,000 items in the past couple of years).

I'm glad you got it working... what it sounds like, though, is that you hadn't run the CEICW as required.

Jeff
TechSoEasy
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now