Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 767
  • Last Modified:

CAS Server: Generating a CSR

We are trying to go live with the CAS Server… it requires that we register a certificate with Verisign.  In order to do that we are required to generate a CSR file using the Microsoft Exchange 2007 Powershell command line.  The command we are using is as follows:

New-ExchangeCertificate -GenerateRequest -Path c:\mail_zook_com.csr -KeySize 2048 -SubjectName "c=US, s=New York, l=New York, o=Zook Inc., ou=Information Services, cn=mail.zook.com" -DomainName autodiscover.zook.com, webmail.zook.com -PrivateKeyExportable $True

Now the problem is that the legal name of our organization is Zook, Inc. which contains a comma.  Note:  You MUST use the exact legal name with Verisign.  So as you can see from the code above we can’t insert the comma between Zook and Inc because Exchange Powershell uses a comma as the delimiter between fields.  The result is that Verisign is unable to accept the certificate since the comma is missing.  
0
SCJOHN2
Asked:
SCJOHN2
  • 13
  • 9
  • 5
3 Solutions
 
endital1097Commented:
use a variable for the subject name
$subjectName = "c=US, s=New York, l=New York, o=Zook, Inc., ou=Information Services, cn=mail.zook.com"
then replace your string with the varialbe name
0
 
Glen KnightCommented:
I have found a great free utility that manages Exchange 2007 certificates and CSR requests, check out my blog post here: http://demazter.wordpress.com/2010/06/15/exchange-2007-ssl-certificates/
0
 
SCJOHN2Author Commented:
endital1097,
Where does the defined variable go?  Before -GenerateRequest?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
endital1097Commented:
after -SubjectName
0
 
Glen KnightCommented:
did you check out the utility in my blog? it t6akes all the hassle out of managing Exchange 2007 Certificates.
0
 
SCJOHN2Author Commented:
endital1097,
Can you give me the full code?  I must be doing something wrong...
0
 
Glen KnightCommented:
Scjohn2, are you deliberately ignoring my posts?
0
 
SCJOHN2Author Commented:
demazter,
I've used the digicert tool as well as another tool for generating the Exchange code... I highly doubt your tool is going to make a difference.  The issue is with the delimiter that powershell uses so it doesn't matter what tool i use to generate it.  Powershell can't accept the comma within the company name.

0
 
endital1097Commented:
$subjectName = "c=US, s=New York, l=New York, o=Zook, Inc., ou=Information Services, cn=mail.zook.com"

New-ExchangeCertificate -GenerateRequest -Path c:\mail_zook_com.csr -KeySize 2048 -SubjectName $subjectName -DomainName autodiscover.zook.com, webmail.zook.com -PrivateKeyExportable $True
0
 
Glen KnightCommented:
Is it not worth a try? This tool does all the management for you and installs it.

What is the , there for? Seems a bit odd that they will not accept it without the ,

Do you have to use verisign? Perhaps another provider has different rules?
0
 
SCJOHN2Author Commented:
endital1097,

Same issue...

X500DistinguishedName". Error: "The string contains an invalid X500 name attrib
ute key, oid, value or delimiter."
0
 
Glen KnightCommented:
Have you tried adding th name as "Zook, Inc."
I just used this format using the tool I posted a link to and it seemed to work.

So from your initial post use this:

New-ExchangeCertificate -GenerateRequest -Path c:\mail_zook_com.csr -KeySize 2048 -SubjectName "c=US, s=New York, l=New York, o="Zook, Inc.", ou=Information Services, cn=mail.zook.com" -DomainName autodiscover.zook.com, webmail.zook.com -PrivateKeyExportable $True
0
 
Glen KnightCommented:
or just remove the comma or spell it out.
Verisign's own help section explains this:
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation
Extract from: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR225&actp=LIST&viewlocale=en_US
0
 
Glen KnightCommented:
bug should read big in my previous post.
0
 
endital1097Commented:
You could generate the cert request with IIS Manager and complete it there too
0
 
Glen KnightCommented:
You would still have the same problem with the ,
I just tried it
0
 
SCJOHN2Author Commented:
dematzer,
I did try putting the quotes around the company name within the powershell command, no dice.

Also, regarding the spelling the symbol out... are you saying i should put the word "comma" where the , goes?



0
 
Glen KnightCommented:
OK, the quotes worked in the utility on my blog.

Yes, the websites seem to suggest that if you have a symbol in your name it should be spelt out or removed.  So if you have a , it should be Zook comma Inc. or just Zook Inc.

They all seem to say this universally so I would be suprised if they wouldn't just accept "Zook Inc"
0
 
SCJOHN2Author Commented:
Verisign won't accept it without the comma and we have to use Verisign since we paid for the cert points already.  I guess I have no choice but to try and use the utility in your blog.  Is it free?
0
 
endital1097Commented:
did you try using IIS manager
0
 
Glen KnightCommented:
Yes it is free but verisigns own support pages say to either remove the comma or spell it out.
0
 
Glen KnightCommented:
Have you spoken to someone at Verisign technical support?

Even if you put the quotes around the name will appear as "Zook, Inc." which will then present you with the same issue.
0
 
SCJOHN2Author Commented:
endital1097,
I haven't tried IIS yet I will try that next but I think demazter tried it and it failed.

demazter,
I downloaded your tool but I don't see any option for "Subject Alternative Names" which is the type of CERT I need (SAN Cert)...

0
 
Glen KnightCommented:
The SAN names are on the screen where you enter the internal and external names.

But as I already said, you will havevthe same problem because it will have " around the name.

Have you spoken to verisign?
0
 
SCJOHN2Author Commented:
We found the solution....  http://blogs.pointbridge.com/Blogs/enger_erik/Pages/Post.aspx?_ID=20

It requires double quotes around the company name... it's working now.

Thanks for the effort.
0
 
SCJOHN2Author Commented:
Thanks
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 13
  • 9
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now