cannot generate valid certificate for exchange2007 with a CA

heres the deal, should be a simple one.

i followed the instructions at isaserver.org to publish my isa server to the web via SSL using an internal certificate server, and have successfully published https://mail.domain.com.au i now want to buy a certificate from a reputable CA. as i will be publishing my sharepoint site as well.

I have retrieved a test certificate for mail.domain.corp (internal) and installed it on the exchange 2007 box exported it and installed that in the personal cert store of the isa serv.
I still recieve an error that the browser doesnt recognise the certificate (verisign test cert)
once i try to log in i recieve

Error Code: 500 Internal Server Error. The network logon failed. (1790)

i recieve the following errors from the isa BPA
  The SSL connection failure with published server (no trust) error alert was signaled 1 times :  
 Events that triggered the alert: 5/02/2008 1:20:52 PM - ISA Server could not establish an SSL connection with the published server mail.domain.corp on port 443 because it does not trust the issuer of the SSL server certificate used by the published server. Verify that the root certificate for the certification authority (CA) that issued the server certificate is installed on the ISA Server computer. If the problem persists contact the Web server administrator.  
  Tell me more about this issue and how to resolve it.  
 
  The Upstream chaining credentials error alert was signaled 1 times :  
 Events that triggered the alert: 5/02/2008 1:15:03 PM - ISA Server was unable to establish an SSL connection with mail.domain.corp. No connection could be made because the target machine actively refused it. The failure is due to error: No connection could be made because the target machine actively refused it


any suggestions?
BarmincoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Redwulf__53Commented:
You've installed the public certificate in the wrong place: it should be on ISA (the Listener is the endpoint where the client connects).
You can choose to secure the connection between the ISA server and the OWA/sharepointserver also with a (self-issued/intranet) certificate. In that case, ISA must trust the certificate that is installed on the OWA/Sharepoint server (if the ISA server is not member of the same domain, you may need to import the internal CA's certificate (root certificate) ín the ISA server's "trusted root CA's" store).
0
Redwulf__53Commented:
note: the certificate you install on the OWA server must have the same Common Name as the host-name used in the ISA Publishing Rule.
0
BarmincoAuthor Commented:
makes perfect sense. however...

do i generate the certificate request from the exchange server for
mail.domain.com.au, install it on the exchange server, then export it to the isa server

or do i generate it from the isa server, which i cant because it isnt a webserver..

help.. confused..
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

Redwulf__53Commented:
It doesn't really matter where the cert was requested from (I usually create them on my own Vista Business laptop for my customers), as long as the whole procedure (create cert request -> complete pending request) are performed on the same box as one complete procedure, and the Common Name is the Fully Qualified DNS name that will be available on the Internet.

In the end, all that matters is which certificate IIS and ISA are configured to use.
So:

Internet--> webmail.mydomain.com <ISA Listener, forwards to > exchsrvr.mydomain.local
So the webmail.mydomain.com public cert is installed on ISA, and the private cert exchsrvr.mydomain.local is installed in IIS on the OWA server. ISA must trust the private cert exchsrv.mydomain.local.

I understand your confusion, there are not many good articles online about this relatively simple scenario. This is one of the best:
http://www.redline-software.com/eng/support/docs/isaserver/CMT_SSLAuth.php

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Redwulf__53Commented:
quote: "do i generate the certificate request from the exchange server for
mail.domain.com.au, install it on the exchange server, then export it to the isa server "

YES that will work fine :), rememer to export it with Public Keys.
0
BarmincoAuthor Commented:
thanks mate, all sorted
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.