Link to home
Start Free TrialLog in
Avatar of snowmizer
snowmizer

asked on

Redirecting Windows 2003 CA Enrollment Site to HTTPS

We have an internal Microsoft Windows 2003 CA server running to handle certificates for our VPN users. The site was configured to require SSL to access the enrollment page and a certificate is installed on the server.

This was working fine but suddenly we are having a problem where the redirection is not working. If I enter https://servername/certsrv I get a page cannot be displayed. If I enter http://servername/certsrv I get a message that secure communications is required.

I've verified that the certificate is valid and don't see anything wrong with the configuration. There are no messages in the event or IIS logs.

Where else can I look to get this resolved?

Thanks.
Avatar of arnold
arnold
Flag of United States of America image

double check the Certificate on the IIS web site for https://servername to make sure it is valid.
Take out the requre SSL under the web site's configuration which will allow you to access it without ssl and if it does not work either, you may have a configuarion issue i.e. the wrong .NET framework is applied to this virtual site.
Avatar of snowmizer
snowmizer

ASKER

The certificate on the IIS website is valid. If I remove the SSL requirement I can access the enrollment page (but can't run this without SSL).
what if you manually install the cert locally?
do you still get the error?
do you attempt to convert requests to the http to automagicallly switch to https?


ps you have restarted IIS right?
Check whether you have a requirement for certenroll and/or certcontrol which could explain why when accessing without https you are having an issue if any request/fulfillment is redirected there and it requires an SSL connection.
Enable logging on the virtual site and see what errors if any are reported there.
The .NET framework should be 1.1.4322.
Yeah I have restarted IIS. Certsrv, certenroll and certcontrol all have requirements for SSL. The version of .NET framework running on all is 1.1.4322. The cert on the sites is a verisign site specifically for the domain name we use to allow remote users to access the enrollment site.

I don't have anything in place to automatically switch from http to hpps if the users enter http://servername/certsrv but I would like to have this. How can you go about doing this with CA sites? Would it be similar to how you do OWA (create a redirect page and set the 403.4 error redirect page to my new redirect page)?

We applied the newest round of Windows updates this morning. I'm wondering if this maybe caused an issue since this was working last week and no changes have been made.
The SSL requirement within IIS is what generates the notice when a non-SSL connection is made.
IIS properties of the virtual directory, Directory Security, hit edit under the secure communications option. There you will see at the top the check box for require Secure Channel (SSL).

Double check wheter your settings require that the client accessing the https://servername/certsrv must present a valid client certificate within the same location as above. Require client certificates, etc.
The check box to require SSL is checked, require 128-bit isn't checked, ignore client certificates is not checked. This is the configuration in all three locations (certenroll, certcontrol, and certsrv) plus the default web site.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I built a new 2003 server on our test network, restored the CA database and re-installed the cert. After doing this my site works so it looks like it's something on my server itself. I tried matching up settings from the new server and the production server. Everything matches but the cert on the prod server still doesn't work.

We're going to just build a new 2008 server and restore the CA on the new server.

Thanks everyone for the replies.