Solved

ISA 2004 Renew CA Certificate

Posted on 2007-04-02
7
1,702 Views
Last Modified: 2008-11-18
I'm running ISA 2004 Enterprise Edition, 2 servers belonging to one array.

As part of some OWA publishing rules we have a local certificate generated by a stand alone CA which also runs on the first ISA 2004 server.

This certificate belongs to a web listener for one of the rules (local host to Exchange). The certificate is a one year issue, has expired and I cannot see a way to renew it.

Any ideas?

Note: the commercial external based certificate, webmail.companyname.co.uk is fine and doesn't expire for another year.
0
Comment
Question by:jonmedd
  • 4
  • 3
7 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18841602
generally, you'd open the internal ca you got the certificate from through the web browser on which you want the cert installed (the OWA server) and ask for a renewal or generate a new cert

https://ca_server_name/certsrv

alternatively, open the IIS service where OWA is running. Open the default web server and select the properties. Find where the cert is installed and from the options there you can create a new request etc.

0
 
LVL 1

Author Comment

by:jonmedd
ID: 18842965
Thanks for the response.

The front-end Exchange servers don't have the internal certificate on them, they have the external certificate only.

I tried to renew the certificate on the ISA boxes using the method above, but since they are not installed in IIS I was not able to renew them. I tried exporting them to PKCS #7 files and then following the
https://ca_server_name/certsrv renewal process, but it looks like you can't renew that way.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18846247
OK.

What if you export your public cert & key and import that into ISA itself? As ISA will be masquerading as the true box......  ie it is listening for the true mail server.

Although I only use internal certs I use the same one on both my Exchange and my ISA server.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jonmedd
ID: 18846968
I'm already using the public cert in ISA. It uses that in one rule then uses the internal cert in another rule.

If you track the connection it fails on the internal rule.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 18847135
OK, not normally slow on the uptake but I am obviously being dense.
As a quick win, amend the publishing rule/listener so that you accept ssl onto the ISA server then bridge with http to the OWA box. That will at least let OWA stop giving horrible messages and you are still over an ssl tunnel to the ISA box.

Can we now go over again what certificate is from where and installed on what and I am missing something in the picture I have.



0
 
LVL 1

Author Comment

by:jonmedd
ID: 18918641
Turns out the database was corrupt and the expired certificate just exposed the problem - its was a full rebuild job. Since no one else answered I'm allocating the above the points.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18918881
Thats kind of you and thanks :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Forefront TMG URL mapping for internal website pages 3 248
maintenance page 3 318
Allowing streaming of audio for external users 2 327
Dynamic CRM config with outlook 4 118
I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question