Updating SSL certificates for OWA through ISA 2004


2 SSL certificates:

IIS (OWA 2003) using webmail.xx.com

ISA 2004 using publishing.xx.local

Expired 29th March 2011.

Steps Taken:

Using selfssl recreated new webmail.xx.com and imported into trusted root & personal, + told IIS to use it

Using Xenos Certificate Generator recreated publishing.xx.local + told ISA 2004 SBS Listener to use it (having added to trusted root & personal).

Restarted everything, error when connecting to webmail.xx.com/exchange:

500 Internal Server Error. The target principal name is incorrect

No problem going to https://localhost/exchange - working as normal.  It only affects external connections for RPC over HTTP and OWA (+ iPhone & HTC Devices, BlackBerrys are OK as working on BES).

Any assistance appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
Not the way it works and the message you are getting is what I would expect.
The way it is generally done is you get the cert from the IIS service that will match the EXTERNAL name that external users will access - https://server.extdomain.com
You install that cert to the internal IIS Service and then export it with the private key. You then RE-Import it to the ISA box into the locaol computer - personal store.

In essence it is one cert that is used for both the internal service and the published service.
PlaiceAuthor Commented:
Created a new request from IIS and then assigned that request using keyman then opened the cert from IIS went to details and copied to file to export it and then imported through the certifcate snapin to personal, trusted root, and trusted publishers.

And now when looking at the certificate it has an error saying "Windows does not have enough information to verify the certificate".
Keith AlabasterEnterprise ArchitectCommented:
Firstly, you cannot just copy the file to export it, it needs to be done through the cert utility from within IIS, Exchange or whatever you used.
Second, it will need to be an external cert in the sense that external users will need to be able to follow the cert path to the root. An internal cert is not going to cut it unless you used the same internal and external TLD.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

PlaiceAuthor Commented:
Firstly, I am exporting it using the cert utility – the button that opens the export wizard is called ‘copy to file’

Second, it was set up and working in the way described under ‘Background’ in the original post.

The selfssl.exe util that comes with IIS 6.0 resource kit will create a certificate with the right CN, and trust it + start using it for IIS.

If I then import this into personal certs, from the certificates snap-in mmc on the ISA server – then ‘the target principal name is incorrect’, importing to trusted pubs and root CA’s also makes no difference.

Webmail.xx.com resolves to the external IP of both the ISA and Exchange svr, which are installed on the same box.
Keith AlabasterEnterprise ArchitectCommented:
I hear you.
PlaiceAuthor Commented:
Managed to resolve this in the end.

Using self SSL to generate a new cert for IIS on webmail.xxx.com.
Changed ISA server rule on web listener to use the To field instead of the Hosts request and changed To address to webmail.xxx.com.
Finally added entry to hosts file for webmail.xxx.com = exchange svr

All working now although perhaps not ideal.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PlaiceAuthor Commented:
Resolved this internally in the end.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.