Solved

CAS Server:  Generating a CSR

Posted on 2010-09-16
27
706 Views
Last Modified: 2012-08-13
We are trying to go live with the CAS Server… it requires that we register a certificate with Verisign.  In order to do that we are required to generate a CSR file using the Microsoft Exchange 2007 Powershell command line.  The command we are using is as follows:

New-ExchangeCertificate -GenerateRequest -Path c:\mail_zook_com.csr -KeySize 2048 -SubjectName "c=US, s=New York, l=New York, o=Zook Inc., ou=Information Services, cn=mail.zook.com" -DomainName autodiscover.zook.com, webmail.zook.com -PrivateKeyExportable $True

Now the problem is that the legal name of our organization is Zook, Inc. which contains a comma.  Note:  You MUST use the exact legal name with Verisign.  So as you can see from the code above we can’t insert the comma between Zook and Inc because Exchange Powershell uses a comma as the delimiter between fields.  The result is that Verisign is unable to accept the certificate since the comma is missing.  
0
Comment
Question by:SCJOHN2
  • 13
  • 9
  • 5
27 Comments
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
use a variable for the subject name
$subjectName = "c=US, s=New York, l=New York, o=Zook, Inc., ou=Information Services, cn=mail.zook.com"
then replace your string with the varialbe name
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
I have found a great free utility that manages Exchange 2007 certificates and CSR requests, check out my blog post here: http://demazter.wordpress.com/2010/06/15/exchange-2007-ssl-certificates/
0
 

Author Comment

by:SCJOHN2
Comment Utility
endital1097,
Where does the defined variable go?  Before -GenerateRequest?
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
after -SubjectName
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
did you check out the utility in my blog? it t6akes all the hassle out of managing Exchange 2007 Certificates.
0
 

Author Comment

by:SCJOHN2
Comment Utility
endital1097,
Can you give me the full code?  I must be doing something wrong...
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Scjohn2, are you deliberately ignoring my posts?
0
 

Author Comment

by:SCJOHN2
Comment Utility
demazter,
I've used the digicert tool as well as another tool for generating the Exchange code... I highly doubt your tool is going to make a difference.  The issue is with the delimiter that powershell uses so it doesn't matter what tool i use to generate it.  Powershell can't accept the comma within the company name.

0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
$subjectName = "c=US, s=New York, l=New York, o=Zook, Inc., ou=Information Services, cn=mail.zook.com"

New-ExchangeCertificate -GenerateRequest -Path c:\mail_zook_com.csr -KeySize 2048 -SubjectName $subjectName -DomainName autodiscover.zook.com, webmail.zook.com -PrivateKeyExportable $True
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Is it not worth a try? This tool does all the management for you and installs it.

What is the , there for? Seems a bit odd that they will not accept it without the ,

Do you have to use verisign? Perhaps another provider has different rules?
0
 

Author Comment

by:SCJOHN2
Comment Utility
endital1097,

Same issue...

X500DistinguishedName". Error: "The string contains an invalid X500 name attrib
ute key, oid, value or delimiter."
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Have you tried adding th name as "Zook, Inc."
I just used this format using the tool I posted a link to and it seemed to work.

So from your initial post use this:

New-ExchangeCertificate -GenerateRequest -Path c:\mail_zook_com.csr -KeySize 2048 -SubjectName "c=US, s=New York, l=New York, o="Zook, Inc.", ou=Information Services, cn=mail.zook.com" -DomainName autodiscover.zook.com, webmail.zook.com -PrivateKeyExportable $True
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
or just remove the comma or spell it out.
Verisign's own help section explains this:
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation
Extract from: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR225&actp=LIST&viewlocale=en_US
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
bug should read big in my previous post.
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 250 total points
Comment Utility
You could generate the cert request with IIS Manager and complete it there too
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
You would still have the same problem with the ,
I just tried it
0
 

Author Comment

by:SCJOHN2
Comment Utility
dematzer,
I did try putting the quotes around the company name within the powershell command, no dice.

Also, regarding the spelling the symbol out... are you saying i should put the word "comma" where the , goes?



0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
OK, the quotes worked in the utility on my blog.

Yes, the websites seem to suggest that if you have a symbol in your name it should be spelt out or removed.  So if you have a , it should be Zook comma Inc. or just Zook Inc.

They all seem to say this universally so I would be suprised if they wouldn't just accept "Zook Inc"
0
 

Author Comment

by:SCJOHN2
Comment Utility
Verisign won't accept it without the comma and we have to use Verisign since we paid for the cert points already.  I guess I have no choice but to try and use the utility in your blog.  Is it free?
0
 
LVL 32

Expert Comment

by:endital1097
Comment Utility
did you try using IIS manager
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Yes it is free but verisigns own support pages say to either remove the comma or spell it out.
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Have you spoken to someone at Verisign technical support?

Even if you put the quotes around the name will appear as "Zook, Inc." which will then present you with the same issue.
0
 

Author Comment

by:SCJOHN2
Comment Utility
endital1097,
I haven't tried IIS yet I will try that next but I think demazter tried it and it failed.

demazter,
I downloaded your tool but I don't see any option for "Subject Alternative Names" which is the type of CERT I need (SAN Cert)...

0
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 250 total points
Comment Utility
The SAN names are on the screen where you enter the internal and external names.

But as I already said, you will havevthe same problem because it will have " around the name.

Have you spoken to verisign?
0
 

Accepted Solution

by:
SCJOHN2 earned 0 total points
Comment Utility
We found the solution....  http://blogs.pointbridge.com/Blogs/enger_erik/Pages/Post.aspx?_ID=20

It requires double quotes around the company name... it's working now.

Thanks for the effort.
0
 

Author Comment

by:SCJOHN2
Comment Utility
Thanks
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
This video discusses moving either the default database or any database to a new volume.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now