Solved

SSL Certificate Problem

Posted on 2008-06-26
24
478 Views
Last Modified: 2011-10-19
I just setup a new Exchange server and purchased a SSL certificate from Verisign.  First, they did not have a certificate specifically for IIS7.0, but told me the IIS6.0 would work fine (not sure if that is true).  They sent me an e-mail with the certificate key which I copied into a text file and changed the extension to .CER as this is what file Serer 2008/IIS7.0 wants.  I appear to have gotten it impoerted correctly despite the fact it was not sent as a .CER file since Server Manager shows the new certificate and the status indicates everything is "OK".  The problem is that when I open my Outlook webmail, I get the generic certificate error, "The security certificate presented by this website has errors."  There does not seem to be a lot of info out there in the area of SSL and Exchange 07.  As I am new with SSL I am at a loss to begin troubleshooting this problem.  Any help is appreciated.  Thanks in advance.
0
Comment
Question by:hckynt
  • 11
  • 8
  • 5
24 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 21875681
it should give a more detailed reason - for instance "the certificate does not match the site name"
0
 

Author Comment

by:hckynt
ID: 21875700
No such luck.  Here is the error.
Cert-Error.bmp
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 21876000
can you hit "view certificates" and see what is shown under the common name? check if it matches what you have at the start of the url (between the https:// and the next / )

0
 
LVL 9

Expert Comment

by:dipersp
ID: 21876011
Click the view certificates link at the bottom of that error and report back.
0
 

Author Comment

by:hckynt
ID: 21876148
I am accessing hte site internally so I am using the IP address of the server, but I have verified the trusted name is my domain name.  I currently hvae my old Exchange 2003 server still on-line until migration completes so there is no way I can test externally without making changes to my firewall.  Do you think that is the problem?
Cert.bmp
0
 
LVL 9

Accepted Solution

by:
dipersp earned 250 total points
ID: 21876185
That will definitely cause the problem.  The cert says it's registered for "mail.domain.com" , yet you're typing in "syserv" in your browser, so the cert is doing what it should and giving you an error.

What you can do is create a host file on your machine temporarily.  Point it to the IP address of the new box, and put it's correct external name in there.  Do an IPCONFIG /FLUSH on your machine and point to the correct external name in your browser and see what you get.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 21876250
that's a self signed cert, not a ca issued cert. issuer and server name are both "sysserv"

first step is to get your ca's cert in there properly - you may need to do a type conversion, if it wasn't supplied in the right type.

save the one they sent you to your windows desktop and double-click it - that will show you what the cert is supposed to look like...
0
 

Author Comment

by:hckynt
ID: 21876275
OK, so I set the name of the server (sysserv) in my hosts file to translate to "mail.domain.com" and am no longer getting the certificate error.  However, I think I might of screwed up.  We have a hosted web solution for www.domian.com.  We currently access our Exchange 2003 Webmail externally at mail.domain.com/exchange.  When i put hte new server in its place will the certificate error show back up?
0
 

Author Comment

by:hckynt
ID: 21876298
The cert they sent me was plain text in an e-mail.  When I attempted to import the file the server wanted a .CER file so I created a text file and changed the extension.  Verisign has not gotten back to me.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 21876301
as long as the cert shows in the ie window as "mail.domain.com" that's fine - only the part between the https:// and the next / is matched (the domain name) not the path.
0
 
LVL 9

Expert Comment

by:dipersp
ID: 21876357
Dave's right - I totally missed the issued by name - it's a self-signed cert and will also cause issues.

What you did sounds right though - you need to drop that plain text into the cer file and go from there.  Did you get a cert for mail.domain.com or for www.domain.com, and/or do you have a need for SSL on the www site?  If you got it for mail.domain.com, you're fine, even if you use mail.domain.com/exchange.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 21876372
should be fine - a plaintext cert usually looks like this:

-----BEGIN CERTIFICATE-----
MIIDDzCCAnigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCdXMx
DjAMBgNVBAgTBW1haW5lMRIwEAYDVQQHEwlzb21ld2hlcmUxFTATBgNVBAoTDGRp
c29yZ2FuaXplZDEQMA4GA1UECxMHc3lzc2VydjEYMBYGA1UEAxMPbWFpbC5kb21h
aW4uY29tMR4wHAYJKoZIhvcNAQkBFg91c2VyQGRvbWFpbi5jb20wHhcNMDgwNjI2
MTYyMjI2WhcNMDkwNjI2MTYyMjI2WjCBlDELMAkGA1UEBhMCdXMxDjAMBgNVBAgT
BW1haW5lMRIwEAYDVQQHEwlzb21ld2hlcmUxFTATBgNVBAoTDGRpc29yZ2FuaXpl
ZDEQMA4GA1UECxMHc3lzc2VydjEYMBYGA1UEAxMPbWFpbC5kb21haW4uY29tMR4w
HAYJKoZIhvcNAQkBFg91c2VyQGRvbWFpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBALOojyC/RqBEevMlecYIkHI/LD88VRCtc0FBW8Bj64TEWkSZYhDs
IOJygNdAMlzub9VqhfY3pudV/HlAjN2VhZy2hrwjl+lT9DrcG3OGa4CF6pXkC1/+
9sx86OAJIUU3T3LcGiviGVfTRc+3sapLxSSt1SdnpXzBD9YE7wRHhRZPAgMBAAGj
bzBtMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFFCvA1004OChb7gJKU+qRvogX3GF
MAsGA1UdDwQEAwIF4DARBglghkgBhvhCAQEEBAMCBWAwHgYJYIZIAYb4QgENBBEW
D3hjYSBjZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOBgQCOrU7o2ddAwkgPOQeC
O66ybVC+7PoFVQR5c8y0fkK6CDodDyz0O6dEqw57ZndwXJPXSMsKHpuh3VmyI7or
NeDK2hjKsMgdjgvL/nFSN0RiByGu6ix50+TBAa1GkI9jrT9lFPiHBV6sd8FsQ5ah
ImkiHFgiS0Mb3KHDUqVf7L9Oig==
-----END CERTIFICATE----

dropping that into a .txt file and renaming that to .cer should cause the icon to change to a little certificate; double-clicking that should cause it to open in a viewer window similar to the cert.bmp above
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:hckynt
ID: 21876513
I must have gotten it for mail.domain.com since the host file is resolving sysserv (the name of hte server) to mail.domain.com.  Are yous aying I chould create the cert file first, then copy an paste the text in?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 21876667
no, only what is in the certificate "issued to" field matters. go look at (for example) https://mail.google.com/ 's certificate for comparison.

I am saying if the certificate you got back from your isp looked like the above with -- begin and --end markers, dropping the whole of that (including the markers) into a text file ending in .cer would give you a usable importable certificate. double-clicking a .cer file in windows opens it in a viewer so you can inspect what it was issued to and by.

the "issued to" is set when you generate a certificate signing request (csr) which you would have done on the server.
0
 

Author Comment

by:hckynt
ID: 21876728
So what should I do now, wait on Verisign?
0
 
LVL 9

Expert Comment

by:dipersp
ID: 21876821
I'm confused.

You generated the cert request in IIS.  You received back the certificate in plain text from Verisign.  You said you placed the plain text into a .CER file.  Then what did you do?  Did you go back into IIS and continue the certificate request?
0
 

Author Comment

by:hckynt
ID: 21876999
Yes, I generated the cert request which created the text file containing the server ID.  I purchased the certificate on-line (Verisign) and pasted the info from the request into my order form (like I said before, they did not have IIS7.0 as a choice but they told me to choose IIS6.0).  They sent me a message saying the request was approved and at the bottom of the e-mail was the server key.  The instructions provided for addign the certififate were for IIS6.0 (totally diofferent).  I then copied the cert key into a text fiel ancd renamed to a .CER file.  I went to server manager and tried to add the certifiate using "Complete Certificate Request, but got an error about not finding the original request.  I then went to Exchange and followed the instructions for adding the certificate under "Exchange Server 2007 Finalize Deployment" and it told me the certificate was already added.  Finally, I deleted teh self-issued certificate I created back in the days for my Exchange 03 server that apparently copied over during the migration.
0
 
LVL 9

Expert Comment

by:dipersp
ID: 21877035
It sounds like Exchange said the cert was already installed because it had a self-signed cert.

In IIS, once you request a cert you can NOT create a new request or it wipes out the original.  It sounds like something happened in IIS between the time you made the request and attempted to install the cert.

You'll need to create a new request in IIS, send it to Verisign (Hoping you have the ability to create or reissue certs for so many days from original purchase) and then put the new key they send in IIS.  When you create the cert and send it to Verisign, stay out of the cert stuff in IIS and make sure not to create a new request in IIS.  
0
 

Author Comment

by:hckynt
ID: 21877104
Not sure what coud have happened.  I discovered that thte Exchange addition process does not ask for the original request, so I  wiped out the certificate completely and worked strictly from Exchange.  I am now going back through the steps and am getting an error that the certificate is not valid for Exchange Server because the Private Key is missing (I forgot this step the first time around).  I think I need Verisign to answer their phone!
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 21877242
if you wipe out a CSR (by generating a self signed cert) you also remove the private key. about the only way around that is to import a cert and export both cert and key using the mmc snapin for certificates (you can sign csrs yourself using http://sourceforge.net/xca )

alternatively, you can generate both CSR and key in XCA, and import both using the mmc snapin. you need then only select it in iis for it to work.
0
 

Author Comment

by:hckynt
ID: 21877271
Sounds hard enough.  I am new to SSL are there some steps somoewhere I can follow to get this accomplished?  Thanks!
0
 

Author Comment

by:hckynt
ID: 21877408
OK, so I found the file I sent to verisign contianig my server's ID (the request).  Back in server mamanger I am trying to complete the process, so I browse to my file, enter my domain, mail.company.com, click OK and I get an error, "There was an error while performing this operation...bad tag value met."
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 21877735
the file you sent to verisign is the CSR (certificate signing request). if the secret key that went with it is lost (which it probably is) then its useless.
0
 

Author Closing Comment

by:hckynt
ID: 31470990
Thanks guys.  It was a combination of things so I revoked the certificate and requested a new one from Verisign.  Thanks!
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now