• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1799
  • Last Modified:

cannot generate valid certificate for exchange2007 with a CA

heres the deal, should be a simple one.

i followed the instructions at isaserver.org to publish my isa server to the web via SSL using an internal certificate server, and have successfully published https://mail.domain.com.au i now want to buy a certificate from a reputable CA. as i will be publishing my sharepoint site as well.

I have retrieved a test certificate for mail.domain.corp (internal) and installed it on the exchange 2007 box exported it and installed that in the personal cert store of the isa serv.
I still recieve an error that the browser doesnt recognise the certificate (verisign test cert)
once i try to log in i recieve

Error Code: 500 Internal Server Error. The network logon failed. (1790)

i recieve the following errors from the isa BPA
  The SSL connection failure with published server (no trust) error alert was signaled 1 times :  
 Events that triggered the alert: 5/02/2008 1:20:52 PM - ISA Server could not establish an SSL connection with the published server mail.domain.corp on port 443 because it does not trust the issuer of the SSL server certificate used by the published server. Verify that the root certificate for the certification authority (CA) that issued the server certificate is installed on the ISA Server computer. If the problem persists contact the Web server administrator.  
  Tell me more about this issue and how to resolve it.  
 
  The Upstream chaining credentials error alert was signaled 1 times :  
 Events that triggered the alert: 5/02/2008 1:15:03 PM - ISA Server was unable to establish an SSL connection with mail.domain.corp. No connection could be made because the target machine actively refused it. The failure is due to error: No connection could be made because the target machine actively refused it


any suggestions?
0
Barminco
Asked:
Barminco
  • 4
  • 2
1 Solution
 
Redwulf__53Commented:
You've installed the public certificate in the wrong place: it should be on ISA (the Listener is the endpoint where the client connects).
You can choose to secure the connection between the ISA server and the OWA/sharepointserver also with a (self-issued/intranet) certificate. In that case, ISA must trust the certificate that is installed on the OWA/Sharepoint server (if the ISA server is not member of the same domain, you may need to import the internal CA's certificate (root certificate) ín the ISA server's "trusted root CA's" store).
0
 
Redwulf__53Commented:
note: the certificate you install on the OWA server must have the same Common Name as the host-name used in the ISA Publishing Rule.
0
 
BarmincoAuthor Commented:
makes perfect sense. however...

do i generate the certificate request from the exchange server for
mail.domain.com.au, install it on the exchange server, then export it to the isa server

or do i generate it from the isa server, which i cant because it isnt a webserver..

help.. confused..
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Redwulf__53Commented:
It doesn't really matter where the cert was requested from (I usually create them on my own Vista Business laptop for my customers), as long as the whole procedure (create cert request -> complete pending request) are performed on the same box as one complete procedure, and the Common Name is the Fully Qualified DNS name that will be available on the Internet.

In the end, all that matters is which certificate IIS and ISA are configured to use.
So:

Internet--> webmail.mydomain.com <ISA Listener, forwards to > exchsrvr.mydomain.local
So the webmail.mydomain.com public cert is installed on ISA, and the private cert exchsrvr.mydomain.local is installed in IIS on the OWA server. ISA must trust the private cert exchsrv.mydomain.local.

I understand your confusion, there are not many good articles online about this relatively simple scenario. This is one of the best:
http://www.redline-software.com/eng/support/docs/isaserver/CMT_SSLAuth.php

0
 
Redwulf__53Commented:
quote: "do i generate the certificate request from the exchange server for
mail.domain.com.au, install it on the exchange server, then export it to the isa server "

YES that will work fine :), rememer to export it with Public Keys.
0
 
BarmincoAuthor Commented:
thanks mate, all sorted
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now