asked on
Cant import CACERT SSL certificate for Anywhere Access in Server 2012 Essentials
I have server 2012 essentials, i installed and have been using successfully a cacert for Anywhere Access, the certificate is coming up for renewal. I found the following instructions saying that basically you have to generate a new certificate request:
Create a new certificate request (in IIS Manager/Server Certificates) and get your new CAcert certificate.
In IIS Manager/Server Certificates, choose Complete Certificate Request and choose the .CER file you created. That will get the certificate into Server Certificates.
Next, right-click on the new certificate and export it to a .PFX file.
Now you have to choose Settings from the Windows Server 2012 Essentials Dashboard and choose Anywhere Access. Under Domain Name click Set up...
Choose the "Use another domain name or domain name service provider" but enter the same domain name as you are already using. Then choose the manual setup option - this will allow you to import the .PFX file you created above. After it completes the setup it will ask you to run the Repair Anywhere Access option - do so and it should set everything up with the new certificate.
I follow these instructions and all seems ok until that last bit when i import the pfx file into Anywhere Access, i get the following error:
"You can import only trusted SSL certificates. Get a trusted SSL certificate and then import the trusted certificate"
Please can someone help me?
Thanks
Andy
Create a new certificate request (in IIS Manager/Server Certificates) and get your new CAcert certificate.
In IIS Manager/Server Certificates, choose Complete Certificate Request and choose the .CER file you created. That will get the certificate into Server Certificates.
Next, right-click on the new certificate and export it to a .PFX file.
Now you have to choose Settings from the Windows Server 2012 Essentials Dashboard and choose Anywhere Access. Under Domain Name click Set up...
Choose the "Use another domain name or domain name service provider" but enter the same domain name as you are already using. Then choose the manual setup option - this will allow you to import the .PFX file you created above. After it completes the setup it will ask you to run the Repair Anywhere Access option - do so and it should set everything up with the new certificate.
I follow these instructions and all seems ok until that last bit when i import the pfx file into Anywhere Access, i get the following error:
"You can import only trusted SSL certificates. Get a trusted SSL certificate and then import the trusted certificate"
Please can someone help me?
Thanks
Andy
SSL / HTTPSWindows Server 2012
Last Comment
activateahsd
ASKER
Hi Jo,
The Cacert root certificate is intsalled on the server and looks right and the actual certificate if you double click on it in 'Manage Computer Certificates' on the Server 2012 shows 'The certificate is OK' in the certification path section.
Is that what you mean by checking the chain?
Thanks
Andy
The Cacert root certificate is intsalled on the server and looks right and the actual certificate if you double click on it in 'Manage Computer Certificates' on the Server 2012 shows 'The certificate is OK' in the certification path section.
Is that what you mean by checking the chain?
Thanks
Andy
Hi,
Yeah, that's what I meant by clicking.
So, to understand completely, this is a renewal and the first installation of the cert was successful?
Yeah, that's what I meant by clicking.
So, to understand completely, this is a renewal and the first installation of the cert was successful?
ASKER
yes thats right, although according to the instructions i found you cant actually do a renewal, you have to do a new certificate request.
Ok,
So, you have created a new request and submitted it to an external CA to sign and they sent back the .cer or .p7b file back to you?
So, you have created a new request and submitted it to an external CA to sign and they sent back the .cer or .p7b file back to you?
ASKER
hi, yes
i copied the -----BEGIN NEW CERTIFICATE REQUEST----- blah blah blah ---------END NEW CERTIFICATE REQUEST----- into a text file, renamed to a .cer and imported as per the instructions. Thats fine, its the secondry import into Anywhere Access that it comes up with the error...
i copied the -----BEGIN NEW CERTIFICATE REQUEST----- blah blah blah ---------END NEW CERTIFICATE REQUEST----- into a text file, renamed to a .cer and imported as per the instructions. Thats fine, its the secondry import into Anywhere Access that it comes up with the error...
Sorry for my ignorance, but if I understand correctly, you didn't have this cert signed by a CA, did you?
You created the request, and saved the txt file as a .cer and imported it?
That won't work at all. You have 1 of 2 choices.
1. Create the request and submit to a 3rd party CA, such as Thawte, Digicert,etc. They will sign this certificate for you and send back the "answer" file which you will need to complete the certificate request.
2. If you have a local CA in your organization, you can use this CA to sign your cert and then complete the request.
I would suggest checking out the old cert and see who signed that specific cert and go with that CA to sign the new cert.
Thanks,
Jo
You created the request, and saved the txt file as a .cer and imported it?
That won't work at all. You have 1 of 2 choices.
1. Create the request and submit to a 3rd party CA, such as Thawte, Digicert,etc. They will sign this certificate for you and send back the "answer" file which you will need to complete the certificate request.
2. If you have a local CA in your organization, you can use this CA to sign your cert and then complete the request.
I would suggest checking out the old cert and see who signed that specific cert and go with that CA to sign the new cert.
Thanks,
Jo
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Wow! A restart solved it. Weird, but glad it's sorted! :)
Cheers,
Jo
Cheers,
Jo
Just for my own clarity, did you get the cert signed by a local or 3rd party CA?
ASKER
it was generated by cacert (http://www.cacert.org/)
ASKER
I wasnt advised that a restart would help by anyone else so I think I need to accept my own solution in this case?
Sounds like the CA or Sub-CA changed\was not part of the chain anymore.
Have you tried to import this cert into your laptop's store and double click on it to check the certificate chain?
Cheers,
Jo