[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How to use webserver certificate issued by windows 2008 ca for isa 2006 owa listener?

Posted on 2009-04-22
13
Medium Priority
?
713 Views
Last Modified: 2012-06-21
How do I use/import a webserver certificate which was issued by a windows server 2008 certificate authority for an isa 2006 owa listener? ISA says: The certificate is not valid.
0
Comment
Question by:NetPro70
  • 7
  • 4
12 Comments
 
LVL 15

Expert Comment

by:Raj-GT
ID: 24206292
a. How did you create the certificate request?
b. Is the root certificate trusted by the ISA Server and your exchange server?
0
 
LVL 1

Author Comment

by:NetPro70
ID: 24207500
a, Requested via CA Web Interface
b, root certificate is trusted
0
 
LVL 15

Assisted Solution

by:Raj-GT
Raj-GT earned 200 total points
ID: 24209206
I would check the CA policies on the Server 2008 machines for misconfigurations first and them use the Certificates MMC from the ISA Server to request the certificate.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:NetPro70
ID: 24285026
So far I found a solution that keeps my ISA listeners running, but it is not the final solution. I installed a sub-CA which is a windows 2003 server and those certificates are working fine with the isa listeners again. But the problem with 2008-issued certificates is persistent.
0
 
LVL 15

Expert Comment

by:Raj-GT
ID: 24302451
Do you have all the updates installed on the ISA Server? IIRC there were some changes made to ISA regarding certificates in SP1 (I am still looking for the link).

0
 
LVL 1

Author Comment

by:NetPro70
ID: 24302470
Latest patches completely applied.
0
 
LVL 15

Expert Comment

by:Raj-GT
ID: 24309570
Can you open the offending certificate using Explorer (just double click) and post a screenshot?
0
 
LVL 15

Expert Comment

by:Raj-GT
ID: 24501222
A hotfix addressing this issues is now available from Microsoft - http://support.microsoft.com/kb/948963/

Regards,
Raj
0
 
LVL 15

Expert Comment

by:Raj-GT
ID: 25279574
I would consider my final comment as valid answer unless NetPro70 objects.

Thanks,
Raj
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 25279612
Only comment there raj is that the article was for Windows 2003 issues whereas the user has 2003 working OK, and the issue is with the 2008 version unless I am reading it incorrectly.
0
 
LVL 15

Expert Comment

by:Raj-GT
ID: 25279668
I assume the ISA Server is running on-top of Windows 2003 which doesn't support the AES chiper suit used by Server 2008 CA. The hotfix I linked will resolve this issue.

See link for more details - http://blogs.technet.com/isablog/archive/2009/05/23/fun-with-isa-server-and-aes-cipher-suites.aspx

Thanks,
Raj
0
 
LVL 1

Accepted Solution

by:
NetPro70 earned 0 total points
ID: 25430472
I finally solved the problem. With a Windows 2008 CA webserver certificates are no longer exportable with the private key included. So a valid certificate cannot be imported into an ISA 2006 web listener. So I duplicated the webserver certificate template (version Windows 2000) and  took Windows 2008 as new template version. Then the private key is marked as exportable again in this template. After publishing the new template in the CA I requested the desired webserver certificate with this new template from another windows 2008 server via certificate mmc, installed the certificate and exported it. This certificate could then be imported on the ISA server and could be used with the weblistener.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses
Course of the Month19 days, 2 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question