Cant import CACERT SSL certificate for Anywhere Access in Server 2012 Essentials

I have server 2012 essentials, i installed and have been using successfully a cacert for Anywhere Access, the certificate is coming up for renewal. I found the following instructions saying that basically you have to generate a new certificate request:

Create a new certificate request (in IIS Manager/Server Certificates) and get your new CAcert certificate.
In IIS Manager/Server Certificates, choose Complete Certificate Request and choose the .CER file you created. That will get the certificate into Server Certificates.
Next, right-click on the new certificate and export it to a .PFX file.
Now you have to choose Settings from the Windows Server 2012 Essentials Dashboard and choose Anywhere Access. Under Domain Name click Set up...
Choose the "Use another domain name or domain name service provider" but enter the same domain name as you are already using. Then choose the manual setup option - this will allow you to import the .PFX file you created above. After it completes the setup it will ask you to run the Repair Anywhere Access option - do so and it should set everything up with the new certificate.


I follow these instructions and all seems ok until that last bit when i import the pfx file into Anywhere Access, i get the following error:
"You can import only trusted SSL certificates. Get a trusted SSL certificate and then import the trusted certificate"

Please can someone help me?
Thanks
Andy
activateahsdAsked:
Who is Participating?
 
activateahsdAuthor Commented:
restarting the server allowed me to import the pfx file into Anywhere Access for some reason!
0
 
Jo_WickermanCommented:
Hi Andy,

Sounds like the CA or Sub-CA changed\was not part of the chain anymore.

Have you tried to import this cert into your laptop's store and double click on it to check the certificate chain?

Cheers,
Jo
0
 
activateahsdAuthor Commented:
Hi Jo,

The Cacert root certificate is intsalled on the server and looks right and the actual certificate if you double click on it in 'Manage Computer Certificates' on the Server 2012 shows 'The certificate is OK' in the certification path section.
Is that what you mean by checking the chain?

Thanks
Andy
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Jo_WickermanCommented:
Hi,

Yeah, that's what I meant by clicking.

So, to understand completely, this is a renewal and the first installation of the cert was successful?
0
 
activateahsdAuthor Commented:
yes thats right, although according to the instructions i found you cant actually do a renewal, you have to do a new certificate request.
0
 
Jo_WickermanCommented:
Ok,

So, you have created a new request and submitted it to an external CA to sign and they sent back the .cer or .p7b file back to you?
0
 
activateahsdAuthor Commented:
hi, yes
i copied the -----BEGIN NEW CERTIFICATE REQUEST----- blah blah blah ---------END NEW CERTIFICATE REQUEST----- into a text file, renamed to a .cer and imported as per the instructions. Thats fine, its the secondry import into Anywhere Access that it comes up with the error...
0
 
Jo_WickermanCommented:
Sorry for my ignorance, but if I understand correctly, you didn't have this cert signed by a CA, did you?

You created the request, and saved the txt file as a .cer and imported it?

That won't work at all. You have 1 of 2 choices.

1. Create the request and submit to a 3rd party CA, such as Thawte, Digicert,etc. They will sign this certificate for you and send back the "answer" file which you will need to complete the certificate request.

2. If you have a local CA in your organization, you can use this CA to sign your cert and then complete the request.

I would suggest checking out the old cert and see who signed that specific cert and go with that CA to sign the new cert.

Thanks,
Jo
0
 
Jo_WickermanCommented:
Wow! A restart solved it. Weird, but glad it's sorted! :)

Cheers,
Jo
0
 
Jo_WickermanCommented:
Just for my own clarity, did you get the cert signed by a local or 3rd party CA?
0
 
activateahsdAuthor Commented:
it was generated by cacert (http://www.cacert.org/)
0
 
activateahsdAuthor Commented:
I wasnt advised that a restart would help by anyone else so I think I need to accept my own solution in this case?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.