GoDaddy Wildcard Cert - OWA no longer works

I purchased a GoDaddy wildcard cert for our OWA and ActiveSync needs.

I used the Certificate mmc snap-in to generate a request for a wildcard cert for *.domain.com and copy/pasted the certificate request into the purchase wildcard cert from GoDaddy.

The issued me a .crt file and an intermediary file, for which I followed their instructions for importing.

During the import via IIS, it wanted a .cer file and not a .crt file; I filtered *.* and tried to import the .crt file but received:

Complete Certificate Request

There was an error while performing this operation.

Details:

CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN: 267)

This seems to be a common issue with GoDaddy certs, and a work-around was given at:
http://blogs.msdn.com/webtopics/archive/2009/01/03/asn1-bad-tag-value-met-error-when-processing-a-certificate-request-in-iis-7.aspx

I did option (2) and the command completed successfully, and I bound port 443 to all interfaces and IP addresses; now when I visit https://mail.domain.com it simply says page not found.

Any ideas on where to progress, where I may have went wrong, etc.
TercestisiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TercestisiAuthor Commented:
To add, I am on IIS 7 64-bit, which seems to be part of the culprit of the problem with GoDaddy certs.
0
oztrodamusCommented:
From what I read it sounds like you missed a step. After you created the crt file with GoDaddy you need to go back to the Certificate snap-in and complete the certificate creation process. You will then be able to export the certificate as a cer or pfx file.

The intermediary trusted root certificate needs to be added to your certificate server so the certificate you just created will be trusted.
0
TercestisiAuthor Commented:
I did import the .p7b file in the intermediary trusted root certificates, if that's what you mean.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

TercestisiAuthor Commented:
I finally got it to work... every instruction I could find was slightly incorrect.

Here is what I did:

1) Go to EMC and to Server Configuration -> Actions -> New Exchange Certificate
2) Give friendly name (something that differentiates it), enable wild-card (this is what I'm using so ymmv), and fill out org. info and export to cvr.txt.
3) Sign-up at GoDaddy for wildcard cert (yes, these are instructions for GoDaddy specifically, ymmv) and key in cvr that you created by copy/paste cvr.txt.
4) Download .zip file for IIS7 (this is for Windows 2008 x64 with Exchange 2010 RTM), and save/move to Exchange server.

This is where all the other instructions did not work... it DID NOT work for me (in the end) to go to the Certificate mmc-snap-in and import the intermediary .p7b certificate.

Instead, I went back to EMC and selected Server Configuration, highlighted the friendly name of the cert request I initiated and selected "Complete Pending Requests" from which I selected the .crt file given by GoDaddy.

After this, I highlighted the same friendly name and selected Assign Services to Certificate and assigned it to the local Exchange server and wholla... it worked.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
oztrodamusCommented:
Tercestisl you misunderstood my comment about the p7b cert. I did NOT say the p7b was the reason it did not work. I only mentioned it as a side note, because I know with GoDaddy certs you have to import it before your cert will be trusted. What I actually said was

"After you created the crt file with GoDaddy you need to go back to the Certificate snap-in and complete the certificate creation process. You will then be able to export the certificate as a cer or pfx file."

You essentially did what I suggested, but you completed the process by using the Exchange Management Console.

In the future I would suggest using IIS to create your certs. I think the certificate creation process is easier in IIS. The only drawback with IIS is you can't create subject alternative certs using IIS. You have to use the Exchange Management Shell for that.
0
TercestisiAuthor Commented:
oz,

I understood you comment, but importing the p7b cert, which I did from the get-go, did not result in a successful certificate assignment.

Also, requesting from IIS (which I originally did), did not work either.

Following exactly as I outlined was the only way I got it to work.

The only problem I am running into now, is that the cert is valid only for IIS and SMTP, but not for IMAP and POP; any help here would be appreciated.

I get the error:

Summary: 1 item(s). 1 succeeded, 0 failed.
Elapsed time: 00:00:05


SELC-EX
Completed

Warning:
This certificate with thumbprint XXX and subject '*.domain.com' cannot used for POP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-POPSettings to set X509CertificateName to the FQDN of the service.

Warning:
This certificate with thumbprint XXX and subject '*.domain.com' cannot used for IMAP SSL/TLS connections because the subject is not a Fully Qualified Domain Name (FQDN). Use command Set-IMAPSettings to set X509CertificateName to the FQDN of the service.

Exchange Management Shell command completed:
Enable-ExchangeCertificate -Server 'SELC-EX' -Services 'IMAP, POP, IIS, SMTP' -Thumbprint 'XXX'

Elapsed Time: 00:00:04

0
oztrodamusCommented:
My guess is using the Exchange Managemenr Shell you'll need to type something similar to

Set-POPSettings -X509CertificateName *.domain.com <FQDN>
Set-IMAPSettings -X509CertificateName *.domain.com <FQDN>

<FQDN> being whatever name you use to resolve the pop server externally, such as pop.domain.com.
0
oztrodamusCommented:
oops sorry same goes for IMAP.
0
TercestisiAuthor Commented:
Thanks oz; that will work well.

I will mark my comment with the instructions as the answer, and award all points to your answer regarding assigning the cert to the POP and IMAP services.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.