How to use webserver certificate issued by windows 2008 ca for isa 2006 owa listener?

How do I use/import a webserver certificate which was issued by a windows server 2008 certificate authority for an isa 2006 owa listener? ISA says: The certificate is not valid.
LVL 1
NetPro70Asked:
Who is Participating?
 
NetPro70Connect With a Mentor Author Commented:
I finally solved the problem. With a Windows 2008 CA webserver certificates are no longer exportable with the private key included. So a valid certificate cannot be imported into an ISA 2006 web listener. So I duplicated the webserver certificate template (version Windows 2000) and  took Windows 2008 as new template version. Then the private key is marked as exportable again in this template. After publishing the new template in the CA I requested the desired webserver certificate with this new template from another windows 2008 server via certificate mmc, installed the certificate and exported it. This certificate could then be imported on the ISA server and could be used with the weblistener.
0
 
Raj-GTSystems EngineerCommented:
a. How did you create the certificate request?
b. Is the root certificate trusted by the ISA Server and your exchange server?
0
 
NetPro70Author Commented:
a, Requested via CA Web Interface
b, root certificate is trusted
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Raj-GTConnect With a Mentor Systems EngineerCommented:
I would check the CA policies on the Server 2008 machines for misconfigurations first and them use the Certificates MMC from the ISA Server to request the certificate.
0
 
NetPro70Author Commented:
So far I found a solution that keeps my ISA listeners running, but it is not the final solution. I installed a sub-CA which is a windows 2003 server and those certificates are working fine with the isa listeners again. But the problem with 2008-issued certificates is persistent.
0
 
Raj-GTSystems EngineerCommented:
Do you have all the updates installed on the ISA Server? IIRC there were some changes made to ISA regarding certificates in SP1 (I am still looking for the link).

0
 
NetPro70Author Commented:
Latest patches completely applied.
0
 
Raj-GTSystems EngineerCommented:
Can you open the offending certificate using Explorer (just double click) and post a screenshot?
0
 
Raj-GTSystems EngineerCommented:
A hotfix addressing this issues is now available from Microsoft - http://support.microsoft.com/kb/948963/

Regards,
Raj
0
 
Raj-GTSystems EngineerCommented:
I would consider my final comment as valid answer unless NetPro70 objects.

Thanks,
Raj
0
 
Keith AlabasterEnterprise ArchitectCommented:
Only comment there raj is that the article was for Windows 2003 issues whereas the user has 2003 working OK, and the issue is with the 2008 version unless I am reading it incorrectly.
0
 
Raj-GTSystems EngineerCommented:
I assume the ISA Server is running on-top of Windows 2003 which doesn't support the AES chiper suit used by Server 2008 CA. The hotfix I linked will resolve this issue.

See link for more details - http://blogs.technet.com/isablog/archive/2009/05/23/fun-with-isa-server-and-aes-cipher-suites.aspx

Thanks,
Raj
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.