Solved

SSL Certificate problems on SBS 2008

Posted on 2010-08-19
7
1,255 Views
Last Modified: 2012-05-10
OK people who are smarter than me here's a SSL Certifcate problem I need help with.

Client was on SBS 2003.  I exported the GoDaddy issued SSL certificate from the certificates MMC, then rebult the SBS Server to SBS2008.  I rebuilt the server, but used the same server name.  MAMAIN

I tried running the import wizard on the SBS Console and pointed the wizard to the exported file.

OWA & RWW worked but the cert didn't (had to click through the "click here to continue - not recommended" link to get to them.

I deleted the certificates out of the certificate store that referred to my cert "mail.domain.com" using the certificates snap in on the MMC.  (right click - delete)

I've done a generate reqeust in Exchange Management Shell, rekeyed with Godaddy, downloaded the certs.  Imported both files that godaddy has you import into the "Imtermediate certificate authorites" using the certificates MMC.

Gone into Exchange Manangment shell to enable the certificates, but EMS doesn't see the cert.

I've done so many things I'm going nuts.


I would like to start over, but I think I've monkeyed everything up and have unused/unneeded certifcates all over the place.

HERE'S MY QUESTION:

What steps should I do to first clean up the certs, then get my certificate reissued.

Thanks guys and gals
0
Comment
Question by:RJ_Emmett
7 Comments
 
LVL 10

Expert Comment

by:Casey Herman
Comment Utility
Did you bind the new SSL certificate in IIS7?

Hope this helps.
0
 
LVL 11

Expert Comment

by:MichaelVH
Comment Utility
You imported the certificate directly through the mmc?

When using Exchange 2007 you need to use the import-certificate cmdlet to import the certificate in order for Exchange to see it.

After you imported the certificate, exchange will be able to see it (and so you can enable it)

Michael
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
Comment Utility
When using SBS you MUST allways use the wizard in the SBS Console, don't do it through the Exchange Console or the Certificates snapin.

My Advice would be to remove any you have imported and then start the wizard again, if it's godaddy then create a new request and select the option "I require more time" then re-key your certificate and then complete the wizard.

See here for more details on the trusted certificate wizard in SBS 2008: http://blogs.technet.com/b/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 3

Expert Comment

by:sparky2156
Comment Utility
Don't know if this is the same problem, but sounds similar. I have had a similar problem with certificaes but in the EMC in Exchange 2010.

Initial problem was that I would create a request through EMC, then go through the process of importing it through EMS, but it wouldnt show up in EMC to complete the operation

Technical problem was that the private key got lost when importing the certificate. The following articles may be of help, and are certainly worth a check.

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_25193573.html

https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1188

Hope this helps.
0
 

Author Comment

by:RJ_Emmett
Comment Utility
Casedog - no I didn't.  I was following the instructions Godaddy had and I didn't see any reference to installing using IIS7

MichaelVH - I downloaded the newly rekeyed Cert.  then using the Godaddy instructions imported the certs into the intermediate certification authority.  the download had a p7b file and a crt file, both said they were imported successfully.

Then again following Godaddy's instructions I went into the Exchange manamgement shell (EMS) and tried to enable it, but couldn't find it.

Right now when I run the get-exchangecertificate |fl  it shows three certs all the issuers are CN=companyname-MAMAIN-CA

These "Feel" like they're selfsigned, because I was expecting to see at least one issuer = godaddy

The Cert that has the smtp, iis, imap, pop services enabled says its status "invalid"

when I try to enable either one of the other two certs I get an error message that says

Enable-ExchangeCertificate : An unexpected error occurred while the forms-based
 authentication settings for path /LM/W3SVC/1 were being modified. The error re
turned was 5506.
At line:1 char:27
+ enable-exchangecertificate  <<<< -thumbprint AF395F0CCA0BA9C50429AB12FD6BD7D0
BE34468C -services "smtp, pop, imap, iis"
0
 

Author Comment

by:RJ_Emmett
Comment Utility
DMAZTER,

I followed the instructions you gave and used the wizard.  Now the GoDaddy cert shows up and I have secure access to the https://mail.domain.com/remote with no issues, but the https://mail.domain.com/owa blank screens out on me.  Subsequently, when I use RWW I can remote into a desktop with no problems.  However, when I click on "check email" it allows me in, but all items that would have some sort of icon have a red X on them.

It sounded like port 443 may not be open on the firewall/server, but I was able to telnet into it.

any other ideas?
0
 

Author Closing Comment

by:RJ_Emmett
Comment Utility
This did the trick.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now