GoDaddy Wildcard Cert - OWA no longer works
I purchased a GoDaddy wildcard cert for our OWA and ActiveSync needs.
I used the Certificate mmc snap-in to generate a request for a wildcard cert for *.domain.com and copy/pasted the certificate request into the purchase wildcard cert from GoDaddy.
The issued me a .crt file and an intermediary file, for which I followed their instructions for importing.
During the import via IIS, it wanted a .cer file and not a .crt file; I filtered *.* and tried to import the .crt file but received:
Complete Certificate Request
There was an error while performing this operation.
Details:
CertEnroll::CX509Enrollmen
This seems to be a common issue with GoDaddy certs, and a work-around was given at:
http://blogs.msdn.com/webtopics/archive/2009/01/03/asn1-bad-tag-value-met-error-when-processing-a-certificate-request-in-iis-7.aspx
I did option (2) and the command completed successfully, and I bound port 443 to all interfaces and IP addresses; now when I visit https://mail.domain.comĀ it simply says page not found.
Any ideas on where to progress, where I may have went wrong, etc.
I used the Certificate mmc snap-in to generate a request for a wildcard cert for *.domain.com and copy/pasted the certificate request into the purchase wildcard cert from GoDaddy.
The issued me a .crt file and an intermediary file, for which I followed their instructions for importing.
During the import via IIS, it wanted a .cer file and not a .crt file; I filtered *.* and tried to import the .crt file but received:
Complete Certificate Request
There was an error while performing this operation.
Details:
CertEnroll::CX509Enrollmen
This seems to be a common issue with GoDaddy certs, and a work-around was given at:
http://blogs.msdn.com/webtopics/archive/2009/01/03/asn1-bad-tag-value-met-error-when-processing-a-certificate-request-in-iis-7.aspx
I did option (2) and the command completed successfully, and I bound port 443 to all interfaces and IP addresses; now when I visit https://mail.domain.comĀ it simply says page not found.
Any ideas on where to progress, where I may have went wrong, etc.
From what I read it sounds like you missed a step. After you created the crt file with GoDaddy you need to go back to the Certificate snap-in and complete the certificate creation process. You will then be able to export the certificate as a cer or pfx file.
The intermediary trusted root certificate needs to be added to your certificate server so the certificate you just created will be trusted.
The intermediary trusted root certificate needs to be added to your certificate server so the certificate you just created will be trusted.
ASKER
I did import the .p7b file in the intermediary trusted root certificates, if that's what you mean.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Tercestisl you misunderstood my comment about the p7b cert. I did NOT say the p7b was the reason it did not work. I only mentioned it as a side note, because I know with GoDaddy certs you have to import it before your cert will be trusted. What I actually said was
"After you created the crt file with GoDaddy you need to go back to the Certificate snap-in and complete the certificate creation process. You will then be able to export the certificate as a cer or pfx file."
You essentially did what I suggested, but you completed the process by using the Exchange Management Console.
In the future I would suggest using IIS to create your certs. I think the certificate creation process is easier in IIS. The only drawback with IIS is you can't create subject alternative certs using IIS. You have to use the Exchange Management Shell for that.
"After you created the crt file with GoDaddy you need to go back to the Certificate snap-in and complete the certificate creation process. You will then be able to export the certificate as a cer or pfx file."
You essentially did what I suggested, but you completed the process by using the Exchange Management Console.
In the future I would suggest using IIS to create your certs. I think the certificate creation process is easier in IIS. The only drawback with IIS is you can't create subject alternative certs using IIS. You have to use the Exchange Management Shell for that.
ASKER
oz,
I understood you comment, but importing the p7b cert, which I did from the get-go, did not result in a successful certificate assignment.
Also, requesting from IIS (which I originally did), did not work either.
Following exactly as I outlined was the only way I got it to work.
The only problem I am running into now, is that the cert is valid only for IIS and SMTP, but not for IMAP and POP; any help here would be appreciated.
I get the error:
Summary: 1 item(s). 1 succeeded, 0 failed.
Elapsed time: 00:00:05
SELC-EX
Completed
Warning:
This certificate with thumbprint XXX and subject '*.domain.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.
Warning:
This certificate with thumbprint XXX and subject '*.domain.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
Exchange Management Shell command completed:
Enable-ExchangeCertificate
Elapsed Time: 00:00:04
I understood you comment, but importing the p7b cert, which I did from the get-go, did not result in a successful certificate assignment.
Also, requesting from IIS (which I originally did), did not work either.
Following exactly as I outlined was the only way I got it to work.
The only problem I am running into now, is that the cert is valid only for IIS and SMTP, but not for IMAP and POP; any help here would be appreciated.
I get the error:
Summary: 1 item(s). 1 succeeded, 0 failed.
Elapsed time: 00:00:05
SELC-EX
Completed
Warning:
This certificate with thumbprint XXX and subject '*.domain.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.
Warning:
This certificate with thumbprint XXX and subject '*.domain.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.
Exchange Management Shell command completed:
Enable-ExchangeCertificate
Elapsed Time: 00:00:04
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
oops sorry same goes for IMAP.
ASKER
Thanks oz; that will work well.
I will mark my comment with the instructions as the answer, and award all points to your answer regarding assigning the cert to the POP and IMAP services.
I will mark my comment with the instructions as the answer, and award all points to your answer regarding assigning the cert to the POP and IMAP services.
ASKER