Possible SSL Issue
- From: "Clark, Nick" <nickc@xxxxxxxxxx>
- To: "ISAList" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 31 Jan 2005 10:48:56 -0600
We are working on implementing SSL for our OWA server but are having problems
that so far anything online hasn't been able to get us in the right direction.
We are getting access internally when we use https://mailservername/exchange but
when we use the internet name https://www.domain.biz/exchange we end up with the
error "500 Internal Server Error - The certificate chain was issued by an
untrusted authority. (-2146893019)". In order to keep the peace and current OWA
traffic going, we are not forcing a secure channel for the Exchange folders in
IIS. With that said, the browser error now states "500 Internal Server Error -
The target principal name is incorrect. (-2146893022)". Don't know if that
means anything for now but I wanted to add it for troubleshooting purposes if it
did mean something. We don't see this error when secure channels are
established on the Exch virtual folders in IIS.
We are using the server name as the Issuer and www.domain.biz as the common name
(issued to) when generating our certificate. Originally I set it up backwards
because I misread the instructions/how-to but later recreated it to correct.
Incidentally, we still see the old certificate out there and although we've
deleted it, somehow it still sees it. IS that an issue?
When viewing the certificate on the ISA Server we look at the Certification Path
and notice that our Issuer is stated as "OK" but the exported certificate (pfx)
states that it "cannot be verified up to a trusted certification authority". We
look at our certmgr.msc and see everything where it's suppose to be )or thought
to be).
On our ISA Server is the following:
Personal-Certificates: I see the exported certificate.
Trusted Root Certification Authority-Certificates: I see the new and old CA,
also see the exported certificate.
I ran the certutil on our Win2k3/Exch 2k3 server on both certificates and the CA
didn't seem to report anything wrong, although there's alot of cryptic
information that's beyond me but overall it didn't appear troubling. I then ran
it on our exported cert and got back the following:
C:\>certutil -verify -urlfetch c:\exchsvr.pfx
LoadCert(Cert) returned ASN1 unexpected end of data. 0x80093102 (ASN: 258)
CertUtil: -verify command FAILED: 0x80093102 (ASN: 258)
CertUtil: ASN1 unexpected end of data.
Earlier I was in fear of a DNS issue and tried setting up a slit-dns but with no
luck. Not that split-dns didn't work, I think I wasn't doing it right since my
DNS knowledge/setup is only basic and primarily done internally. There is no
reference to our extranet domain in our internal DNS. I can't worry about than
until I figure out what happened to my Cert Server. Can anyone help guide me to
a solution with this? If you need more info then just ask. I'm not sure how
much more to give but am willing to indulged those who need it.
Thank you,
Nick Clark
Other related posts:
