Plaice
asked on
Updating SSL certificates for OWA through ISA 2004
Background:
2 SSL certificates:
IIS (OWA 2003) using webmail.xx.com
ISA 2004 using publishing.xx.local
Expired 29th March 2011.
Steps Taken:
Using selfssl recreated new webmail.xx.com and imported into trusted root & personal, + told IIS to use it
Using Xenos Certificate Generator recreated publishing.xx.local + told ISA 2004 SBS Listener to use it (having added to trusted root & personal).
Restarted everything, error when connecting to webmail.xx.com/exchange:
500 Internal Server Error. The target principal name is incorrect
No problem going to https://localhost/exchange - working as normal. It only affects external connections for RPC over HTTP and OWA (+ iPhone & HTC Devices, BlackBerrys are OK as working on BES).
Any assistance appreciated.
2 SSL certificates:
IIS (OWA 2003) using webmail.xx.com
ISA 2004 using publishing.xx.local
Expired 29th March 2011.
Steps Taken:
Using selfssl recreated new webmail.xx.com and imported into trusted root & personal, + told IIS to use it
Using Xenos Certificate Generator recreated publishing.xx.local + told ISA 2004 SBS Listener to use it (having added to trusted root & personal).
Restarted everything, error when connecting to webmail.xx.com/exchange:
500 Internal Server Error. The target principal name is incorrect
No problem going to https://localhost/exchange - working as normal. It only affects external connections for RPC over HTTP and OWA (+ iPhone & HTC Devices, BlackBerrys are OK as working on BES).
Any assistance appreciated.
ASKER
Created a new request from IIS and then assigned that request using keyman then opened the cert from IIS went to details and copied to file to export it and then imported through the certifcate snapin to personal, trusted root, and trusted publishers.
And now when looking at the certificate it has an error saying "Windows does not have enough information to verify the certificate".
And now when looking at the certificate it has an error saying "Windows does not have enough information to verify the certificate".
Firstly, you cannot just copy the file to export it, it needs to be done through the cert utility from within IIS, Exchange or whatever you used.
Second, it will need to be an external cert in the sense that external users will need to be able to follow the cert path to the root. An internal cert is not going to cut it unless you used the same internal and external TLD.
Second, it will need to be an external cert in the sense that external users will need to be able to follow the cert path to the root. An internal cert is not going to cut it unless you used the same internal and external TLD.
ASKER
Firstly, I am exporting it using the cert utility – the button that opens the export wizard is called ‘copy to file’
Second, it was set up and working in the way described under ‘Background’ in the original post.
The selfssl.exe util that comes with IIS 6.0 resource kit will create a certificate with the right CN, and trust it + start using it for IIS.
If I then import this into personal certs, from the certificates snap-in mmc on the ISA server – then ‘the target principal name is incorrect’, importing to trusted pubs and root CA’s also makes no difference.
Webmail.xx.com resolves to the external IP of both the ISA and Exchange svr, which are installed on the same box.
Second, it was set up and working in the way described under ‘Background’ in the original post.
The selfssl.exe util that comes with IIS 6.0 resource kit will create a certificate with the right CN, and trust it + start using it for IIS.
If I then import this into personal certs, from the certificates snap-in mmc on the ISA server – then ‘the target principal name is incorrect’, importing to trusted pubs and root CA’s also makes no difference.
Webmail.xx.com resolves to the external IP of both the ISA and Exchange svr, which are installed on the same box.
I hear you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Resolved this internally in the end.
The way it is generally done is you get the cert from the IIS service that will match the EXTERNAL name that external users will access - https://server.extdomain.com
You install that cert to the internal IIS Service and then export it with the private key. You then RE-Import it to the ISA box into the locaol computer - personal store.
In essence it is one cert that is used for both the internal service and the published service.