Server cannot establish connection with the configuration storage server :: Certificate expired :: ISA 2006

Each of my ISA array members has the error, "Server cannot establish connection with the configuration storage server"  I believe this is due to the expiration of a certificate in the Personal Certificate Store.

- 2 x Windows 2003 R2 enterprise edition
- ISA 2006 Enterprise Edition
- Workgroup / No Domain / DMZ

I inherited this setup so I am not sure of a few items:
1. What CA was used so I can renew it (can I rely on the "issued by" of the expired cert)?
2. The "issued by" is the configuration storage server but no CA exists there (at this point).
3. How do I renew this certificate once I find the CA?
4. How does the ISACertToolPack.exe com into play?
5. How does the expired certificate impact my ISA box?

Thanks for your time in advance!
LVL 3
kblumenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
1. Yes, rely on the "issued by" field of the certificate.  You might also try checking the 3rd tab of the cert properties 'Certificate Path' and see if there may be multiple certs in a chain - that might help you determine if it was a commercial cert or internal.

2. That could be a problem.  On a Vista workstation, try opening certsrv.msc - this will open the CA MMC and give you a warning that there is no CA installed on that box - hit OK - right click Certification Authority (local) - retarget - Browse.  If there is an Enterprise CA, it will show up here with the CAName and the ServerName.  Check on that box by opening certsrv.msc - you should get the CA console instead of the error on a CA box.  You can see if Certificate Services is listed in Services.msc as well.

3. The easiest and best documented way is to do it via IIS - create a dummy site and open its properties - Directory Security tab - server certificate - follow the wizard to create a new request.  That will generate a CSR file that you will submit to http://caservername/certsrv - 1st option/2nd option - fill out the form the CSR goes into the big box (can browse to it or open in notepad and copy/paste).  Also, in the existing cert - check to see if there is a Subject Alternative Name field - if there is you will want to include those names in the Attributes field as "SAN:dns=server1&dns=server1.domain.com&dns=alias1" etc.

4. Here's a little info on that tool & the download link if you need it (since you already have certs I'm guessing its already there if needed):
http://www.microsoft.com/downloads/details.aspx?familyid=655f22ba-2424-4269-94d3-cb07308afc46&displaylang=en

5. Depending on what is using the certs.  If on the front end, clients may get a certificate expired warning message that they can click Yes to in order to continue with a secured session after getting over being annoyed, if its on the back end it could drop application communication if the application is designed to fail if the certificate is not validated.


If your CA is really not there anymore and you're stuck in the water and need a quick fix - I would suggest getting a cheap commercial cert for now.  If you are fine with using the latest MS root update from last fall then you can get a free cert from startcom.org, otherwise if you need something with better general acceptance (e.g. if this is a commercial front-end) then you might want to look into GoDaddy.  Since you have an internally issued cert I'm guessing startcom is going to do the trick for you (again make sure you have the latest root cert update from windows update in order to have it trusted).
0
ParanormasticCryptographic EngineerCommented:
3-B.  After issuing the cert, go back to the same area on the server and run through the wizard to install the cert.  Then run it again to export including private key to a .pfx file, then you can go to production site and run thru that wizard again (I know its a bit repetitive, but it keeps the prod site untouched until you need to) and import the .pfx file.  You can try restarting web services, but there is a good chance you may need to reboot to clear the old cert out of cache.
0
kblumenAuthor Commented:
These are internal self signed certificates.  I believe it is just to allow for secure communications between array members and the configuration storage server.  Could it be that the CA was shut down after issuing the certificate?  Can it be simply reinstalled?  Why would they have shut down the CA? is that common?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

kblumenAuthor Commented:
So does a CA need to be installed on the server with the IIS dummy site?
0
kblumenAuthor Commented:
I don't think it needs to be on the same server correct?  I am left with the one question regarding reinstalling the CA and why they shut it down?
0
kblumenAuthor Commented:
any ideas?
0
ParanormasticCryptographic EngineerCommented:
So if these are self-signed certs then they weren't issued by a CA.  The previous admin probably used selfssl.exe or some other tool to create the self-signed certificate.  that would be the easiest way to go.  If you don't have a CA already then it probably isn't worth setting one up just for 2 servers.  

Instead of using self-signed certs, you could consider getting a free cert from startcom.org - their root cert is in the MS cert program since this past fall.  If you choose to do this then you would do the dummy site method from within IIS that it sounds like you are familiar with.
0
pwindellCommented:
Why do you believe this has anything to do with Certs at all?

The last 2006 Array I setup had no Certs at all anywhere.  The communication between the Members and the CSS was controlled entirely by the System Policies,...if you break the System Policies, you break the communication.
0
Keith AlabasterEnterprise ArchitectCommented:
What results did you get from the ISA 2006 best practice analyser?
0
kblumenAuthor Commented:
Ah let me try to run that.. There is no harm in running that in production?
0
kblumenAuthor Commented:
pwindell: The date the certificate expired I got this error
0
kblumenAuthor Commented:
I would like to create a certificate the exact way the guy before me did.  How can I do that?
0
kblumenAuthor Commented:
The Root Certificate seems to be fine .. it is the certificate beneath it (that lives in the Personal store) that needs to be renewed.  - granted it has already expired.
0
ParanormasticCryptographic EngineerCommented:
That doesn't sound like a self-signed cert then..  sounds like a CA issued cert.

Open up the expired cert and look on the Details tab then look for the Certificate Template field and you will see what template was used to issue the cert (assuming that it was issued from a template here...).  If this field does not exist then you only have two options for certs - a basic user and basic machine cert, you'd want the machine one.

Also cert the 'Subject Alternative Name' field (if present) - that will list any additional names that the cert would be valid for.

You would create the CSR file from the dummy site as it sounds you are familiar with, or since its expired anyways you could go through the prod site and renew it from there (normally I prefer to generate a new keyset each time when creating a new request).  You can then open http://CAservername/certsrv and then take the 1st option then 2nd option to submit to the CA.

If you need to find the CA then on a win03 or newer server, or vista or newer client - open certsrv.msc - an error box will pop up since the CA isn't on that box - then retarget the console and browse - in that window it will list the FQDN of the CAservername and also the CAName of the CA instance on it.  Hopefully with that knowledge you can track it down from there - if not then talk to your network team.

If it wasn't listed in the certsrv box, then you could also look at the expired cert on Details tab - Authority Information Access (AIA).  The AIA will have one or more URLs listed to point the to where the issuing CA's certificate is hosted.  Look at the filename of the certificate, not the rest of the URL (it could be hosted anywhere, although it could be hosted on the CA itself) - it is default for the filename to be ServerShortname_CAName.crt.  You can get the hostname of the CA box from that as well, assuming it was not changed from default.
0
kblumenAuthor Commented:
Microsoft Windows has a CA that can issue certificates.
Paranormastic when you said "So if these are self-signed certs then they weren't issued by a CA" did you actually mean "So if these are self-signed certs then they weren't issued by a trusted CA"?
0
ParanormasticCryptographic EngineerCommented:
Semantics, at that time it was sounding like they were self-signed certs instead of a CA issued cert (trusted or not) (based on comment 30617058).  After that comment, the picture changed and I updated accordingly.  Self signed are issued/signed by themselves (hence the name), instead of a CA.
0
kblumenAuthor Commented:
These are the steps I took to solve this issue (attached)
Create-and-Deploy-certificates-t.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kblumenAuthor Commented:
I would like to award the points to Paranormastic as he led me down the path to the solution I have posted.
0
kblumenAuthor Commented:
I would like the question to be placed in the knowledge base as the answer I have provided is very complete.  I would like my answer to be noted as correct but to award the points to Paranormastic.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.