Solved

CAS Server:  Generating a CSR

Posted on 2010-09-16
27
743 Views
Last Modified: 2012-08-13
We are trying to go live with the CAS Server… it requires that we register a certificate with Verisign.  In order to do that we are required to generate a CSR file using the Microsoft Exchange 2007 Powershell command line.  The command we are using is as follows:

New-ExchangeCertificate -GenerateRequest -Path c:\mail_zook_com.csr -KeySize 2048 -SubjectName "c=US, s=New York, l=New York, o=Zook Inc., ou=Information Services, cn=mail.zook.com" -DomainName autodiscover.zook.com, webmail.zook.com -PrivateKeyExportable $True

Now the problem is that the legal name of our organization is Zook, Inc. which contains a comma.  Note:  You MUST use the exact legal name with Verisign.  So as you can see from the code above we can’t insert the comma between Zook and Inc because Exchange Powershell uses a comma as the delimiter between fields.  The result is that Verisign is unable to accept the certificate since the comma is missing.  
0
Comment
Question by:SCJOHN2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 9
  • 5
27 Comments
 
LVL 32

Expert Comment

by:endital1097
ID: 33691847
use a variable for the subject name
$subjectName = "c=US, s=New York, l=New York, o=Zook, Inc., ou=Information Services, cn=mail.zook.com"
then replace your string with the varialbe name
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33691881
I have found a great free utility that manages Exchange 2007 certificates and CSR requests, check out my blog post here: http://demazter.wordpress.com/2010/06/15/exchange-2007-ssl-certificates/
0
 

Author Comment

by:SCJOHN2
ID: 33691939
endital1097,
Where does the defined variable go?  Before -GenerateRequest?
0
Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

 
LVL 32

Expert Comment

by:endital1097
ID: 33691993
after -SubjectName
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33692029
did you check out the utility in my blog? it t6akes all the hassle out of managing Exchange 2007 Certificates.
0
 

Author Comment

by:SCJOHN2
ID: 33692097
endital1097,
Can you give me the full code?  I must be doing something wrong...
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33692124
Scjohn2, are you deliberately ignoring my posts?
0
 

Author Comment

by:SCJOHN2
ID: 33692225
demazter,
I've used the digicert tool as well as another tool for generating the Exchange code... I highly doubt your tool is going to make a difference.  The issue is with the delimiter that powershell uses so it doesn't matter what tool i use to generate it.  Powershell can't accept the comma within the company name.

0
 
LVL 32

Expert Comment

by:endital1097
ID: 33692264
$subjectName = "c=US, s=New York, l=New York, o=Zook, Inc., ou=Information Services, cn=mail.zook.com"

New-ExchangeCertificate -GenerateRequest -Path c:\mail_zook_com.csr -KeySize 2048 -SubjectName $subjectName -DomainName autodiscover.zook.com, webmail.zook.com -PrivateKeyExportable $True
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33692303
Is it not worth a try? This tool does all the management for you and installs it.

What is the , there for? Seems a bit odd that they will not accept it without the ,

Do you have to use verisign? Perhaps another provider has different rules?
0
 

Author Comment

by:SCJOHN2
ID: 33692473
endital1097,

Same issue...

X500DistinguishedName". Error: "The string contains an invalid X500 name attrib
ute key, oid, value or delimiter."
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33692616
Have you tried adding th name as "Zook, Inc."
I just used this format using the tool I posted a link to and it seemed to work.

So from your initial post use this:

New-ExchangeCertificate -GenerateRequest -Path c:\mail_zook_com.csr -KeySize 2048 -SubjectName "c=US, s=New York, l=New York, o="Zook, Inc.", ou=Information Services, cn=mail.zook.com" -DomainName autodiscover.zook.com, webmail.zook.com -PrivateKeyExportable $True
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33692697
or just remove the comma or spell it out.
Verisign's own help section explains this:
- Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll, for example: XY & Z Corporation would be XYZ Corporation or XY and Z Corporation
Extract from: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR225&actp=LIST&viewlocale=en_US
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33692836
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33692843
bug should read big in my previous post.
0
 
LVL 32

Assisted Solution

by:endital1097
endital1097 earned 250 total points
ID: 33692933
You could generate the cert request with IIS Manager and complete it there too
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33692954
You would still have the same problem with the ,
I just tried it
0
 

Author Comment

by:SCJOHN2
ID: 33693046
dematzer,
I did try putting the quotes around the company name within the powershell command, no dice.

Also, regarding the spelling the symbol out... are you saying i should put the word "comma" where the , goes?



0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33693093
OK, the quotes worked in the utility on my blog.

Yes, the websites seem to suggest that if you have a symbol in your name it should be spelt out or removed.  So if you have a , it should be Zook comma Inc. or just Zook Inc.

They all seem to say this universally so I would be suprised if they wouldn't just accept "Zook Inc"
0
 

Author Comment

by:SCJOHN2
ID: 33693351
Verisign won't accept it without the comma and we have to use Verisign since we paid for the cert points already.  I guess I have no choice but to try and use the utility in your blog.  Is it free?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33693392
did you try using IIS manager
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33693433
Yes it is free but verisigns own support pages say to either remove the comma or spell it out.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 33693496
Have you spoken to someone at Verisign technical support?

Even if you put the quotes around the name will appear as "Zook, Inc." which will then present you with the same issue.
0
 

Author Comment

by:SCJOHN2
ID: 33693816
endital1097,
I haven't tried IIS yet I will try that next but I think demazter tried it and it failed.

demazter,
I downloaded your tool but I don't see any option for "Subject Alternative Names" which is the type of CERT I need (SAN Cert)...

0
 
LVL 74

Assisted Solution

by:Glen Knight
Glen Knight earned 250 total points
ID: 33693907
The SAN names are on the screen where you enter the internal and external names.

But as I already said, you will havevthe same problem because it will have " around the name.

Have you spoken to verisign?
0
 

Accepted Solution

by:
SCJOHN2 earned 0 total points
ID: 33694428
We found the solution....  http://blogs.pointbridge.com/Blogs/enger_erik/Pages/Post.aspx?_ID=20

It requires double quotes around the company name... it's working now.

Thanks for the effort.
0
 

Author Comment

by:SCJOHN2
ID: 33717755
Thanks
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question