Solved

Migrate from self-signed cert to a 3rd party cert

Posted on 2010-11-30
41
522 Views
Last Modified: 2012-05-10
Over the past few years we have been running Outlook 2003/2007 via RPC over HTTP.  We have been using a self-signed certitifcate successfully.  I recently obtained a cert from Network Solutions.  Since then the remtoe Outlook clients can no longer connect to the Exchange Server (Exch 2003 SP1).  What is the best practice to move from a self signed cert to a 3rd party cert?  Thank you for any assistance.
0
Comment
Question by:mtallon
  • 16
  • 12
  • 12
41 Comments
 
LVL 4

Accepted Solution

by:
jcurrie earned 250 total points
Comment Utility
Are you running root certificate updates on the clients? If they trust the cert publisher then they should have no problem connecting to RPC/HTTP.

Take a look at this KB from Microsoft.

http://support.microsoft.com/kb/827330
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
When you obtained a new cert from Network Solutions - what exactly did you do to obtain the certificate?

Did you remove the existing certificate, generate a new CSR request, submit the CSR request to the Certificate Provider, confirm your identity, download the certificate and then install it?
0
 

Author Comment

by:mtallon
Comment Utility
jcurrie:  Over the past year the client notebooks downloaded the self signed cert and then imported it into Trusted Root Cert Auth.

Alan:  I purchased the new cert via Network Solutions online cart.  It asked for the name (i.e. mail.mydomain.com) and then they subsequently requested I send in copies of utiility bills, etc. to verify the authenticity of the business.  I did not use the wizard in IIS to generate the file to send.  Is this the problem?

I did install the new Network Solutions cert (mail.mydomain.com.cer) via the wizard; however, when I run the wizard in IIS to assign a the new cert is does not appear as an availble cert to install.
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
Comment Utility
Yes - if you don't run the wizard via IIS - you won't get the certificate to work.

Can you re-key the certificate on their website?

With 2003 - you need to remove the cert, run the wizard, create the CSR file, copy / paste the contents of the CSR file into the website of the Certificate provider, let them do their thing, download the certificate, Complete the Wizard in IIS and then the cert will be installed correctly.

If you do this and it still doesn't work - then please let me know.  If you need help doing any of this - just ask.

Alan
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
Comment Utility
I guess you can manually install the certficate via the MMC.

Start> Run> MMC /a{press enter}

Add / Remove a Snap-In> Certificates - Computer Account> Local Computer.

Expand the tree> Open Personal> Right-Click and choose All Tasks> Import> Browse to the .cer file and complete the install.

The run IIS Manager and add the certificate to IIS.
0
 

Author Comment

by:mtallon
Comment Utility
jcurrie:  Thank you for the MS link with the web based test tool.  Very helpful.  It confirmed the cert was the problem.  Results below:

Testing RPC/HTTP connectivity.
  The RPC/HTTP test failed.
   Test Steps
   Attempting to resolve the host name mail.mydomain.com in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 97.77.xxx.xxx
 
 Testing TCP port 443 on host mail.mydomain.com to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name mail.mydomain.com was found in the Certificate Subject Common name.
 
 Certificate trust is being validated.
  Certificate trust validation failed.
   Additional Details
  The certificate chain couldn't be built. You may be missing required intermediate certificates.
 
 
 
 
 
0
 

Author Comment

by:mtallon
Comment Utility
Alan,  Thanks for the quick reply.  I was thinking not generating the file may have been the problem.  I will log into Network Solutions and see if I can run the process you outlined.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
As you have discovered - the intermediate cert seems to be missing.

See if they have one and then install it using the last set of instructions I posted.

If that doesn't work - re-key the certificate as per my other instructions.
0
 

Author Comment

by:mtallon
Comment Utility
They did send me a few certs in a zip file:

AddTrustExternalCARoot.crt
mail.mydomain.com.crt
UTNAddTrustServer_CA.crt
NetworkSolutions_CA.crt

The only one I imported was mail.mydomain.com.crt.  Will the other crt's they sent get me where I need to be?  Or do I still need to re-generate the cert by exporting the file and pasting it?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You can probably get away without re-generating a new cert.

Add the AddTrustExternalCARoot.crt cert using my instructions.  Test again - if no joy - add the others one by one, unless they havs instructions as to which one is the correct one to install.
0
 

Author Comment

by:mtallon
Comment Utility
I am doing that process now Alan.  Should I delete the old self-signed certs while I am at it?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You can leave the Self-Signed ones for now - they won't do any harm - but removing them just might!
0
 

Author Comment

by:mtallon
Comment Utility
I removed the expired one from last year and left the current self-signed certs.  I then ran the wizard in IIS to remove the self signed cert (not the file) and then I was able to see the Network Solutions cet I just imported via MMC.  I then assigned it succesfully.

Note:  I also imported the other three (3) certs that Network Solutions sent in MMC into the Personal folder.

I re-ran the MS web based test and now receive a different error:
Additional Details
  A network error occurred while communicating with the remote host.
Exception details:
Message: Authentication failed because the remote party has closed the transport stream.
Type: System.IO.IOException
Stack trace:
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificateTest.PerformTestReally()
 
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
>> Authentication failed because the remote party has closed the transport stream <<

This suggests either Anti-Virus interference or possibly a timeout on the Default Website set too low.

0
 

Author Comment

by:mtallon
Comment Utility
I tested from my Outlook 2007 client (remote) and it will not connect.  Does the old self-signed cert need to be removed from the client side?  My assumption was nothing needed to be changed on the client-side - hence the benefit of a 3rd party cert.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If the test site passes - Outlook (if configured correctly) should connect happily.

Does the test site show that all is well?
0
 

Author Comment

by:mtallon
Comment Utility
The test site fails with:

Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Tell me more about this issue and how to resolve it
   Additional Details
  A network error occurred while communicating with the remote host.
Exception details:
Message: Authentication failed because the remote party has closed the transport stream.
Type: System.IO.IOException
Stack trace:
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificateTest.PerformTestReally()
 
 
0
 
LVL 4

Expert Comment

by:jcurrie
Comment Utility
according to the logs you submitted from the RPC tool. The cert failed because of a certificate trust issue

 The certificate name was validated successfully.
   Additional Details
  Host name mail.mydomain.com was found in the Certificate Subject Common name.
 
 Certificate trust is being validated.
  Certificate trust validation failed.
   Additional Details
  The certificate chain couldn't be built. You may be missing required intermediate certificates.


I don't beleive this is an issue with the way you have installed the cert but that you don't have a trust relationship with the certificate authority. (Network Solutions). Update the root certificates on the clients.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0&displaylang=en

0
 
LVL 4

Expert Comment

by:jcurrie
Comment Utility
or push out the root certificates that they sent you through Group Policy or craete a simple web page where your end users can download and install the certificate trusts.

AddTrustExternalCARoot.crt
UTNAddTrustServer_CA.crt
NetworkSolutions_CA.crt

Or purchase a third party cert from a vendor that already is in your root certificate trust like Verisign.

0
 
LVL 4

Expert Comment

by:jcurrie
Comment Utility
It looks like you are actually missing an intermediate certificate on the server

http://technet.microsoft.com/en-us/library/ee410524(EXCHG.80).aspx

if you install those other certificates that they sent you into the certificate repository under the "computer" account. I beleive it will resolve your issue. Take a look at this article

http://technet.microsoft.com/en-us/library/ee410524(EXCHG.80).aspx
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Expert Comment

by:jcurrie
Comment Utility
0
 

Author Comment

by:mtallon
Comment Utility
I thought the steps on the Intermediate cert might correct the problem because I had not done that.  I imported the Intermediates, but is still failed the test.  I think the piece I am missing is that I did not send the CSR to Network Solutions prior to them sending the CRT's to me.  In your experience with 3rd Party Certs is this required?
0
 
LVL 4

Expert Comment

by:jcurrie
Comment Utility
did you make sure you installed the intermediates under the Computer Account? It won't work if you install them under your user account or if you just right click them and select install. You have to do it exactly how the instructions say

http://www.networksolutions.com/support/installation-of-an-ssl-certificate-on-microsoft-iis-5-x-6-x-2/

Re-run the RPC utility and see what it says now that you installed the intermediate certs.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
In my experience - I have never done it the way you have - and I have never had any problems.

That is not to say you can't do it the way you have - but it may well explain the problems.

Exchange 2003 / Outlook should not be that fussy.

Worst case - install the certificate onto the client using the following instructions:

Copy the certificate file onto the computer on a USB stick and then do the following:

Open up Internet Explorer, Click on Tools, Internet Options, Content Tab, Certificate Button, Trusted Root Certification Authorities Tab.  Click Import, Next, Browse to the certificate.cer file on the USB stick and click next, Select 'Place all certificates in the following store' and click Browse, check the Show Physical Stores Box and then select Trusted Root Certification Authorities Folder (Expand it) and then choose Registry and click OK.  Click Next and then Finish.  Click OK on the next prompt.
0
 
LVL 4

Expert Comment

by:jcurrie
Comment Utility
it isn't an issue about "how" it was done. The issue is that network solutions certificates require intermediate certificates to be installed. The reason you have never had problems is because you used a different third party vendor that is more established and does not require intermediate certs for the certificate chain of trust.
0
 

Author Comment

by:mtallon
Comment Utility
Alan,  Should I run the client import you outlined for just my mail.mydomain.com.crt?  Should I install the other three (3) certs (Intermediates) that Network Solutions sent?
0
 
LVL 4

Expert Comment

by:jcurrie
Comment Utility
mtallaon, the issue is not on the clients, it's on the server. Safe yourself a bunch of time and open a tech support case with Network Solutions. The problem is that the RPC clients can not build a chain of trust because the intermediate certificates are missing from your server or not properly installed.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Just the mail.mydomain.com.crt one.  You will have to change the file type when importing so that it picks up the .crt file.
0
 

Author Comment

by:mtallon
Comment Utility
I imported the mail.mydomain.com.crt on the client in the location you specified and Outlook will not connect.  I thought manully installing it would work for sure.  I'm stumped.
0
 
LVL 4

Expert Comment

by:jcurrie
Comment Utility
mail.mydomain.com.crt is not a root cert its a private cert and should never be deployed to a client. The issue isn't on the client its on the server. You need to ensure the intermediate certificates are installed.

re-run the RPC utility and see what it says. If it still says it's unable to build the certificate chain then you know that it's a problem with the intermediate certs.
0
 

Author Comment

by:mtallon
Comment Utility
When I run the RPC Util on the mail server I get this error:

Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Tell me more about this issue and how to resolve it
   Additional Details
  A network error occurred while communicating with the remote host.
Exception details:
Message: Authentication failed because the remote party has closed the transport stream.
Type: System.IO.IOException
Stack trace:
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificateTest.PerformTestReally()
 
 
0
 

Author Comment

by:mtallon
Comment Utility
When I navigate to the Certificates folder under Intermediate Certifaction Authorities in the MMC the follow three (3) certs are present:

AddTrustExternalCARoot.crt
UTNAddTrustServer_CA.crt
NetworkSolutions_CA.crt
0
 
LVL 4

Expert Comment

by:jcurrie
Comment Utility
what changed since you ran the test that produced this result?

Testing RPC/HTTP connectivity.
  The RPC/HTTP test failed.
   Test Steps
   Attempting to resolve the host name mail.mydomain.com in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 97.77.xxx.xxx
 
 Testing TCP port 443 on host mail.mydomain.com to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name mail.mydomain.com was found in the Certificate Subject Common name.
 
 Certificate trust is being validated.
  Certificate trust validation failed.
   Additional Details
  The certificate chain couldn't be built. You may be missing required intermediate certificates.


whatever changed since then broke it worse.
0
 
LVL 4

Expert Comment

by:jcurrie
Comment Utility
"When I navigate to the Certificates folder under Intermediate Certifaction Authorities in the MMC the follow three (3) certs are present:"

Are you sure your looking at the Computer Account and not your user account? In any case, you have bigger problems now because somthing else got broken somewhere along the way. Your IIS is closing the network connection which is no longer a certificate issue. You may need to restart IIS or reboot the server. Check your IIS sites and make sure they are running and able to star.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
One solution is the intermediate certificate - the other is to install the cert on the client.  On an SBS server - you need to install the SBS created certificate onto the client to make RPC over HTTPS work - so there should not be any issues doing the same with the 3rd party SSL cert on the client.

Please make sure you have downloaded and installed the following MS update (as jcurrie suggested):

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f814ec0e-ee7e-435e-99f8-20b44d4531b0&displaylang=en
0
 

Author Comment

by:mtallon
Comment Utility
I imported the three (3) Network Solutions certs into the Intermediate store.  After rading the NS steps you sent it seems my not sending the CSR to NS caused the certs to not be generated correctly.  I opened a case with NS to see if they will re-generate the certs from a CSR from my server.
0
 
LVL 4

Expert Comment

by:jcurrie
Comment Utility
The issue isn't a client root trust, it is a cert chain issue. Installing certs on the client won't resolve the issue. The reason you have to install the SBS root is because its a private cert, you are the cert authority and you own the root. Third party authorities don't work that way. You get the third party roots through root cert updates as in the link you posted. While you can manually install any root yourself, thats not the problem in this case and also the file mail.mydomain.com.crt  is not a root cert it is a private cert and installing it on a client basically is the same as handing your private encryption key over to the client machine. That private cert is the key to decrypt traffic to the IIS server for that site. Anyone who has it can compromise the confadentiality of your IIS traffic.
0
 

Author Comment

by:mtallon
Comment Utility
jcurrie:  Thanks for the security warning on issueing the client cert.  Since I installed the intermediate certs and the problem persisits, do you think having NS re-generate the certs from a CSR I send them will resolve the problem with the chain?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Valid point!
0
 

Author Closing Comment

by:mtallon
Comment Utility
Thank you Alan and LCurrie.  The link to the MS tool was very helpful for diagnostics, as well as the installation instructions for the cert and intermediate certs.  I ended up getting a new cert from Network Solutions, ran through the installation intructions you both provided, and successfully completed the MS util to verify the Outlook RPC/HTTP connection and validation of the SSL cert.  Thanks for the assistance!
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
how to add IIS SMTP to handle application/Scanner relays into office 365.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now