Barminco
asked on
cannot generate valid certificate for exchange2007 with a CA
heres the deal, should be a simple one.
i followed the instructions at isaserver.org to publish my isa server to the web via SSL using an internal certificate server, and have successfully published https://mail.domain.com.au i now want to buy a certificate from a reputable CA. as i will be publishing my sharepoint site as well.
I have retrieved a test certificate for mail.domain.corp (internal) and installed it on the exchange 2007 box exported it and installed that in the personal cert store of the isa serv.
I still recieve an error that the browser doesnt recognise the certificate (verisign test cert)
once i try to log in i recieve
Error Code: 500 Internal Server Error. The network logon failed. (1790)
i recieve the following errors from the isa BPA
The SSL connection failure with published server (no trust) error alert was signaled 1 times :
Events that triggered the alert: 5/02/2008 1:20:52 PM - ISA Server could not establish an SSL connection with the published server mail.domain.corp on port 443 because it does not trust the issuer of the SSL server certificate used by the published server. Verify that the root certificate for the certification authority (CA) that issued the server certificate is installed on the ISA Server computer. If the problem persists contact the Web server administrator.
Tell me more about this issue and how to resolve it.
The Upstream chaining credentials error alert was signaled 1 times :
Events that triggered the alert: 5/02/2008 1:15:03 PM - ISA Server was unable to establish an SSL connection with mail.domain.corp. No connection could be made because the target machine actively refused it. The failure is due to error: No connection could be made because the target machine actively refused it
any suggestions?
i followed the instructions at isaserver.org to publish my isa server to the web via SSL using an internal certificate server, and have successfully published https://mail.domain.com.au i now want to buy a certificate from a reputable CA. as i will be publishing my sharepoint site as well.
I have retrieved a test certificate for mail.domain.corp (internal) and installed it on the exchange 2007 box exported it and installed that in the personal cert store of the isa serv.
I still recieve an error that the browser doesnt recognise the certificate (verisign test cert)
once i try to log in i recieve
Error Code: 500 Internal Server Error. The network logon failed. (1790)
i recieve the following errors from the isa BPA
The SSL connection failure with published server (no trust) error alert was signaled 1 times :
Events that triggered the alert: 5/02/2008 1:20:52 PM - ISA Server could not establish an SSL connection with the published server mail.domain.corp on port 443 because it does not trust the issuer of the SSL server certificate used by the published server. Verify that the root certificate for the certification authority (CA) that issued the server certificate is installed on the ISA Server computer. If the problem persists contact the Web server administrator.
Tell me more about this issue and how to resolve it.
The Upstream chaining credentials error alert was signaled 1 times :
Events that triggered the alert: 5/02/2008 1:15:03 PM - ISA Server was unable to establish an SSL connection with mail.domain.corp. No connection could be made because the target machine actively refused it. The failure is due to error: No connection could be made because the target machine actively refused it
any suggestions?
note: the certificate you install on the OWA server must have the same Common Name as the host-name used in the ISA Publishing Rule.
ASKER
makes perfect sense. however...
do i generate the certificate request from the exchange server for
mail.domain.com.au, install it on the exchange server, then export it to the isa server
or do i generate it from the isa server, which i cant because it isnt a webserver..
help.. confused..
do i generate the certificate request from the exchange server for
mail.domain.com.au, install it on the exchange server, then export it to the isa server
or do i generate it from the isa server, which i cant because it isnt a webserver..
help.. confused..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
quote: "do i generate the certificate request from the exchange server for
mail.domain.com.au, install it on the exchange server, then export it to the isa server "
YES that will work fine :), rememer to export it with Public Keys.
mail.domain.com.au, install it on the exchange server, then export it to the isa server "
YES that will work fine :), rememer to export it with Public Keys.
ASKER
thanks mate, all sorted
You can choose to secure the connection between the ISA server and the OWA/sharepointserver also with a (self-issued/intranet) certificate. In that case, ISA must trust the certificate that is installed on the OWA/Sharepoint server (if the ISA server is not member of the same domain, you may need to import the internal CA's certificate (root certificate) ín the ISA server's "trusted root CA's" store).