[isalist] Re: Server 2008 Cert request

• From: Jim Harrison <Jim@xxxxxxxxxxxx>
• To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
• Date: Tue, 25 Nov 2008 06:38:37 -0800

http://www.ISAserver.org
-------------------------------------------------------

One minor clarification:
You need ISA 2006 SP1 to use SAN certificates *at the published server*.
You can use SAN certs at ISA web listeners just fine (assuming the 1d10t client 
app can consume them).

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of William T. Holmes
Sent: Monday, November 24, 2008 10:01 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Server 2008 Cert request

http://www.ISAserver.org
-------------------------------------------------------
  
Hello,

Here are the steps that I use.

1. Start the Internet Information Server Manager.
2. Click on the Hostname Home Page in the IIS Manager.
3. In the IIS Section Click on Server Certificates.
4. In the action pane click on Create Server Request.
5. Fill out the Form and complete the wizard. Don't close the IIS manager.
6. Submit the request to your CA using the web server template.
7. Download the signed certificate.
8. In the Action Pane select the complete certificate request.
9. Select the certificate you just downloaded and Assign the certificate a name.

At this point you have a certificate installed on the IIS machine. Now you need 
to export this certificate so you can transfer it to you ISA server.

1. Start an MMC console.
2. Add the certificates snap-in to the MMC. When prompted select the computer 
and then local computer. This connects you to the local computer's
   certificate store.
3. Expand the personal store/certificates
4. Right Click on the certificate you just created and select export.
5. Select the export private key radio button.
6. Complete the wizard.

From here you can transfer the exported Cert to the ISA server and the import 
it onto the ISA Computer's Certificate Store.

Unlike IIS6, IIS7 certificates are not automatically associated with a Virtual 
Server. You select the certificate you want for a website when setting up the 
Virtual Server bindings. You can go through the first series of steps as many 
times as you need. You may also want to take a look at  
http://support.microsoft.com/kb/931351. This covers how to create SAN 
certificates. Although this covers LDAP certificates the same procedure works 
with the Web Server Templates.

You need ISA 2006 SP1 to use SAN certificates. 

Bill


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Peter J. Persing
Sent: Monday, November 24, 2008 6:39 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Server 2008 Cert request

http://www.ISAserver.org
-------------------------------------------------------
  
Thanks for your reply Jim,

The reason I was running this on the ISAServer was that when I attempt
to run the request on the Certificate Server the minute I select the web
server template it marks the keys non-exportable. This approach worked
in Server 2003.

Pete

On the desert in New Mexico


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, November 24, 2008 4:01 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Server 2008 Cert request

http://www.ISAserver.org
-------------------------------------------------------
  
No catch-22; you're trying to shortcut the process.
Go to the cert request page, build a web server cert and allow the cert
to be imported (should go to local machine store).
Once you complete this, you should be able to export the cert with the
private key to a pfx file.
It's this file that you want to carry to the ISA and import into the
local machine store.

Jim

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Peter J. Persing
Sent: Monday, November 24, 2008 1:19 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Server 2008 Cert request

http://www.ISAserver.org
-------------------------------------------------------
  
Hi Tom,

I have a Windows Server 2008 Certificate Server running in a domain. I
have ISAServer 2006 running on a domain member. I need to issue a new
cert for the web listener but I can't get-r-done. When I bring up the
web enrollment page I can type in all the data but (of course) I can't
save the request to a file. So I go through the web submission and it
returns the page "Install Certificate", but no option to say where,
local computer or current User. So with the only option to punch the
button I do that and the cert winds up in the current User store. It
looks ok, has the key, so I move it to the local machine store. When I
go into the listener to select the certificate, and after I uncheck
"only show valid certificates" it shows the certificate error "Private
key handle error". Now as I recall the solution for this error was to
use the certificate snap-in to import it from a file again, but of
course we don't have a file anymore (Catch 22). I re-issued the cert;
same thing. Any suggestions?

As an aside, I read your series "Publishing Exchange 2007 OWA, Exchange
ActiveSync and RPC/HTTP using the 2006 ISA Firewall" a while back and by
the time I was half way through I was laughing so hard the tears were
running down my face. Your observations on "Power Hell" broke me up!! I
am hoping that MSFT has seen the light and will be correcting some of
those issues in rollup 4 if it ever gets straightened out enough to
apply.

Pete

On the desert in New Mexico


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

• References:
  • [isalist] Server 2008 Cert request
    • From: Peter J. Persing
  • [isalist] Re: Server 2008 Cert request
    • From: Jim Harrison
  • [isalist] Re: Server 2008 Cert request
    • From: Peter J. Persing
  • [isalist] Re: Server 2008 Cert request
    • From: William T. Holmes

Other related posts:

• » [isalist] Server 2008 Cert request- Peter J. Persing
• » [isalist] Re: Server 2008 Cert request- Jim Harrison
• » [isalist] Re: Server 2008 Cert request- Peter J. Persing
• » [isalist] Re: Server 2008 Cert request- Steve Moffat
• » [isalist] Re: Server 2008 Cert request- Jim Harrison
• » [isalist] Re: Server 2008 Cert request- Jim Harrison
• » [isalist] Re: Server 2008 Cert request- William T. Holmes
• » [isalist] Re: Server 2008 Cert request- Steve Moffat
• » [isalist] Re: Server 2008 Cert request- Jim Harrison
• » [isalist] Re: Server 2008 Cert request - Jim Harrison
• » [isalist] Re: Server 2008 Cert request- Thomas W Shinder
• » [isalist] Re: Server 2008 Cert request- Steve Moffat
• » [isalist] Re: Server 2008 Cert request- Peter J. Persing
• » [isalist] Re: Server 2008 Cert request- Jim Harrison
• » [isalist] Re: Server 2008 Cert request- Jim Harrison
• » [isalist] Re: Server 2008 Cert request- Peter J. Persing
• » [isalist] Re: Server 2008 Cert request- Steve Moffat

1. Home
2. isalist
3. Archive
4. 11-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---