Cant import CACERT SSL certificate for Anywhere Access in Server 2012 Essentials

I have server 2012 essentials, i installed and have been using successfully a cacert for Anywhere Access, the certificate is coming up for renewal. I found the following instructions saying that basically you have to generate a new certificate request:

Create a new certificate request (in IIS Manager/Server Certificates) and get your new CAcert certificate.
In IIS Manager/Server Certificates, choose Complete Certificate Request and choose the .CER file you created. That will get the certificate into Server Certificates.
Next, right-click on the new certificate and export it to a .PFX file.
Now you have to choose Settings from the Windows Server 2012 Essentials Dashboard and choose Anywhere Access. Under Domain Name click Set up...
Choose the "Use another domain name or domain name service provider" but enter the same domain name as you are already using. Then choose the manual setup option - this will allow you to import the .PFX file you created above. After it completes the setup it will ask you to run the Repair Anywhere Access option - do so and it should set everything up with the new certificate.


I follow these instructions and all seems ok until that last bit when i import the pfx file into Anywhere Access, i get the following error:
"You can import only trusted SSL certificates. Get a trusted SSL certificate and then import the trusted certificate"

Please can someone help me?
Thanks
Andy
LVL 1
activateahsdAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jo_WickermanCommented:
Hi Andy,

Sounds like the CA or Sub-CA changed\was not part of the chain anymore.

Have you tried to import this cert into your laptop's store and double click on it to check the certificate chain?

Cheers,
Jo
0
activateahsdAuthor Commented:
Hi Jo,

The Cacert root certificate is intsalled on the server and looks right and the actual certificate if you double click on it in 'Manage Computer Certificates' on the Server 2012 shows 'The certificate is OK' in the certification path section.
Is that what you mean by checking the chain?

Thanks
Andy
0
Jo_WickermanCommented:
Hi,

Yeah, that's what I meant by clicking.

So, to understand completely, this is a renewal and the first installation of the cert was successful?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

activateahsdAuthor Commented:
yes thats right, although according to the instructions i found you cant actually do a renewal, you have to do a new certificate request.
0
Jo_WickermanCommented:
Ok,

So, you have created a new request and submitted it to an external CA to sign and they sent back the .cer or .p7b file back to you?
0
activateahsdAuthor Commented:
hi, yes
i copied the -----BEGIN NEW CERTIFICATE REQUEST----- blah blah blah ---------END NEW CERTIFICATE REQUEST----- into a text file, renamed to a .cer and imported as per the instructions. Thats fine, its the secondry import into Anywhere Access that it comes up with the error...
0
Jo_WickermanCommented:
Sorry for my ignorance, but if I understand correctly, you didn't have this cert signed by a CA, did you?

You created the request, and saved the txt file as a .cer and imported it?

That won't work at all. You have 1 of 2 choices.

1. Create the request and submit to a 3rd party CA, such as Thawte, Digicert,etc. They will sign this certificate for you and send back the "answer" file which you will need to complete the certificate request.

2. If you have a local CA in your organization, you can use this CA to sign your cert and then complete the request.

I would suggest checking out the old cert and see who signed that specific cert and go with that CA to sign the new cert.

Thanks,
Jo
0
activateahsdAuthor Commented:
restarting the server allowed me to import the pfx file into Anywhere Access for some reason!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jo_WickermanCommented:
Wow! A restart solved it. Weird, but glad it's sorted! :)

Cheers,
Jo
0
Jo_WickermanCommented:
Just for my own clarity, did you get the cert signed by a local or 3rd party CA?
0
activateahsdAuthor Commented:
it was generated by cacert (http://www.cacert.org/)
0
activateahsdAuthor Commented:
I wasnt advised that a restart would help by anyone else so I think I need to accept my own solution in this case?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.