[isalist] Re: Server 2008 Cert request
- From: "Peter J. Persing" <Peter@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 25 Nov 2008 08:05:54 -0700
http://www.ISAserver.org
-------------------------------------------------------
Thanks Bill,
That worked perfectly, but only with a single name. Now I need to figure
out how to do it with a san certificate. Unfortunately, kb931351
explains how to do it with a Server 2003 CA, and in fact spells out the
exact procedure I was trying to use when I ran into the "Private key
handle error" on ISA. It's really strange that the cert snapin says the
cert is ok, installed properly, and I have a key for the certificate.
Everything looks great, but ISA says "Private key handle error".
If anyone knows how to export a san certificate with the key from a
server 2008 CA I sure would like some tips. Incidentally, I am working
with an Enterprise CA here.
Pete
On the desert in New Mexico
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of William T. Holmes
Sent: Monday, November 24, 2008 11:01 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Server 2008 Cert request
http://www.ISAserver.org
-------------------------------------------------------
Hello,
Here are the steps that I use.
1. Start the Internet Information Server Manager.
2. Click on the Hostname Home Page in the IIS Manager.
3. In the IIS Section Click on Server Certificates.
4. In the action pane click on Create Server Request.
5. Fill out the Form and complete the wizard. Don't close the IIS
manager.
6. Submit the request to your CA using the web server template.
7. Download the signed certificate.
8. In the Action Pane select the complete certificate request.
9. Select the certificate you just downloaded and Assign the certificate
a name.
At this point you have a certificate installed on the IIS machine. Now
you need to export this certificate so you can transfer it to you ISA
server.
1. Start an MMC console.
2. Add the certificates snap-in to the MMC. When prompted select the
computer and then local computer. This connects you to the local
computer's
certificate store.
3. Expand the personal store/certificates
4. Right Click on the certificate you just created and select export.
5. Select the export private key radio button.
6. Complete the wizard.
From here you can transfer the exported Cert to the ISA server and the
import it onto the ISA Computer's Certificate Store.
Unlike IIS6, IIS7 certificates are not automatically associated with a
Virtual Server. You select the certificate you want for a website when
setting up the Virtual Server bindings. You can go through the first
series of steps as many times as you need. You may also want to take a
look at http://support.microsoft.com/kb/931351. This covers how to
create SAN certificates. Although this covers LDAP certificates the same
procedure works with the Web Server Templates.
You need ISA 2006 SP1 to use SAN certificates.
Bill
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Peter J. Persing
Sent: Monday, November 24, 2008 6:39 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Server 2008 Cert request
http://www.ISAserver.org
-------------------------------------------------------
Thanks for your reply Jim,
The reason I was running this on the ISAServer was that when I attempt
to run the request on the Certificate Server the minute I select the web
server template it marks the keys non-exportable. This approach worked
in Server 2003.
Pete
On the desert in New Mexico
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, November 24, 2008 4:01 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Server 2008 Cert request
http://www.ISAserver.org
-------------------------------------------------------
No catch-22; you're trying to shortcut the process.
Go to the cert request page, build a web server cert and allow the cert
to be imported (should go to local machine store).
Once you complete this, you should be able to export the cert with the
private key to a pfx file.
It's this file that you want to carry to the ISA and import into the
local machine store.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Peter J. Persing
Sent: Monday, November 24, 2008 1:19 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Server 2008 Cert request
http://www.ISAserver.org
-------------------------------------------------------
Hi Tom,
I have a Windows Server 2008 Certificate Server running in a domain. I
have ISAServer 2006 running on a domain member. I need to issue a new
cert for the web listener but I can't get-r-done. When I bring up the
web enrollment page I can type in all the data but (of course) I can't
save the request to a file. So I go through the web submission and it
returns the page "Install Certificate", but no option to say where,
local computer or current User. So with the only option to punch the
button I do that and the cert winds up in the current User store. It
looks ok, has the key, so I move it to the local machine store. When I
go into the listener to select the certificate, and after I uncheck
"only show valid certificates" it shows the certificate error "Private
key handle error". Now as I recall the solution for this error was to
use the certificate snap-in to import it from a file again, but of
course we don't have a file anymore (Catch 22). I re-issued the cert;
same thing. Any suggestions?
As an aside, I read your series "Publishing Exchange 2007 OWA, Exchange
ActiveSync and RPC/HTTP using the 2006 ISA Firewall" a while back and by
the time I was half way through I was laughing so hard the tears were
running down my face. Your observations on "Power Hell" broke me up!! I
am hoping that MSFT has seen the light and will be correcting some of
those issues in rollup 4 if it ever gets straightened out enough to
apply.
Pete
On the desert in New Mexico
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
