• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 514
  • Last Modified:

IIS 2003 Server install new certificate

I have a 2003 server running exchange which currently has a .com cert installed for our owa connections, we have purchased a new cert for .co.uk which we want to use instead, when i select replace current certificate in IIS it only shows me the installed cert.

Do i remove this cert first and then install the new one or do i install the new cert into trusted sites in IE first to try and make it appear in the list when i select replace cert ?

I have the new file as a file with a .cer extension.
0
NSSUK
Asked:
NSSUK
  • 7
  • 6
  • 6
  • +1
1 Solution
 
AkhaterCommented:
to install the certificate

start run mmc
add remove snapins

certificates => computer account

browse personal -> right click all tasks import

next next finish

make sure the certificate you have just imported is in the personal store of the computer account certificates


double click on it and make sure all looks ok (i.e. you have a private key for this certificate and no warnings or errors whatsoever)

0
 
MikeGGGCommented:
Just a little addition
If you generated a request somewhere else but not on that server, you possibly will be able to install it but it is very important to see "you have a private key" message, as described in previous comment, and it is most likely you won't be able to see it
If you doesnn't see "you have a private key" in certificate window, you can workaround it as described in this excellent article
http://www.entrust.net/knowledge-base/technote.cfm?tn=6926
0
 
vikasjusCommented:
Hi,
IIS will accept either *.key or *.pfx format certificate. What you need to do is export certificate along with all keys to pfx format post following steps given by Akhater and then import it in IIS.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
AkhaterCommented:
@vikasjus I don't understand why there is a need to export ?

If he installs the certificate in the computer account certificate, and assuming that the request was generated from that server, the certificate should be installed and working ready to be used in IIS

However if the request was generated on another server then the steps highlighted above should be done on that server then the whole certificate with keys exported and imported back on the exchange server
0
 
NSSUKAuthor Commented:
Just to add, I don't think the cert request was done from that server as i get a security message if i try to view the certificate. It says the file is invalid for use as the following - Security Certificate
0
 
AkhaterCommented:
So I guess you should find out where the request was generated.

did you try to follow the steps i gve you ?
0
 
MikeGGGCommented:
So, I think the only correct way for yo should be to follow the instructions provided by Akhater, then install the private key as described in my link, check in Certificates console if your new cert looks OK (with private key!)a nd then replace the certificate in IIS as usual.
0
 
NSSUKAuthor Commented:
not had chance yet, wanted to get an idea of what needed to be done before i went and did it.
0
 
NSSUKAuthor Commented:
Hi i have done what Akhater first suggested and imported it into the personal store, I can open the cert ok with no error's but it doesn't have the line at the bottom that says i have a private key that corresponds to this certificate, i do get this line if i look at my current cert.

So would i now need to follow the other article from MikeGGG on the entrust site ?
0
 
MikeGGGCommented:
I think if you want to have you cert installed - you should :)
The problem is, as I already told you, that the cert request has been generated on the other machine. When you generate it on the same PC, your key is alredy stored locally.
0
 
AkhaterCommented:
is it a public Certificate (meaning from a public CA) or internal one ?
0
 
MikeGGGCommented:
Akhater,
>>>>we have purchased a new cert for .co.uk
0
 
NSSUKAuthor Commented:
It is from a public cert, i have just found out that it was done from the actual machine but as the current cert is valid they created a new website in iis and generated the request from that, but it will need applying to the default web site.

The new site they created is still there but ids not running.
0
 
AkhaterCommented:
Sorry Mike my bad !


@NSSUK I didn't get >The new site they created is still there but ids not running.<

what do you mean
0
 
NSSUKAuthor Commented:
As the default site is running with a .com cert which is valid, they were told to create a new website in IIS and generate the cert request from it which they did, the website has now been stopped but hasn't been deleted.
0
 
AkhaterCommented:
let's keep iis on the side for one sec, in the mmc -> certificates -> computer account

is the certificate now showing "you have the private key" ?

0
 
NSSUKAuthor Commented:
no there is no statement at the bottom of the screen when i open the cert from mmc certificate snap in, but i dont get any errors either.
0
 
MikeGGGCommented:
You shouldn't see any errors, but you cannot use that certificate on your site unless you have private key for it.
Already did it with certutil?
0
 
NSSUKAuthor Commented:
not tried certutil yet will that then add the private key ?
0
 
MikeGGGCommented:
To install a Web server certificate that lacks a pending certificate request
1. Click Start, point to Run, type cmd, and then click OK.
 
2. Navigate to the directory where Certutil.exe is stored; by default, this is %windir%\system32.
 
3. Type the following command at the command prompt: certutil -addstore my certnew.cer where certnew.cer is the name of the certificate you received from the certification authority (CA).

You should see the following message: CertUtil: -addstore command completed successfully.
 
4. Navigate to the directory where you stored the certificate you received from the CA. Right-click the certificate and then point to Properties.
 
5. Click the Details tab and select <All> in the Show drop-down list.
 
6. In the Field list, select Thumbprint to display its value in the view pane.
 
7. Select the Thumbprint value in the view pane and then click CTRL+C.
 
8. Return to the command prompt window and type the following command: certutil -repairstore my "thumbprint"
 where thumbprint is the value of the Thumbprint field. Be sure to type the double quotes as part of the command. If the command is successful, the following message is displayed: "Encryption test passed CertUtil: = repairstore command completed successfully."


0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 6
  • 6
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now