Registered users    
MembershipMembership:
Latest New UserLatest:Chris Addison
New TodayNew Today:9
New YesterdayNew Yesterday:10
User CountOverall:23331
Private messaging    
You must be logged in to use this module.
Top 10 posters    
NamePosts
Mariette Knap12895
Marina Roos12523
Eriq Neale2114
Michael Patrick1913
Stan Guinn1913
Robert Pearman1771
Nick Pieters1425
Stewart Brown616
william warren601
Kevin D.579
Welcome unauthorized visitor    
If you want to join us in the discussions on this forum you need to register first. Registration is free! If you are already a registered user please login to join the forum.
Small Business Server Support Forum    
Forums > Microsoft Small Business Server 2003 & 2000 > ISA Server 2004
Subject: ISA 2004 & SSL certificates
Prev Next
You are not authorized to post a reply.

Author Messages
Paul Smith User is Offline
Tadley UK
Member since
4/20/2005

Registered Users
Posts: 297
7/21/2008 10:09 AM  
I have asked a variation on this question in Remote Working to not much effect. I would like to try a different version of the same question.
 
ISA had a fit and had to be re-installed from scratch.
 
This went well and functionality has been restored. However my Direct Push functionalilty has stopped working. I tracked this down to the fact that ISA 2004 can no longer see my purchased SSL certificate. It is no longer selectable from an ISA defined "Web Listener". On checking IIS my certificate is not present there either. 
 
I have been through the steps I carried out before to get the whole setup working. Through trying a number of ways to get the certificate recognised by ISA I have these results (none of which allow it to work BTW):
 
1) Using MMC Certificate Manager I can see my SSL Cert in Personal, but its not selectable under 'Replace my certificate' dialog. However if I delete it and re-import it using MMC I can then see it under IIS. ISA 2004 cannot see it at all (I have rebooted to no avail)
2) Genertating a 'Renew Request' will not import the 'old' SSL certificate as it says 'It has already been imported to another server'.
3) I have refreshed the Trust and Intermidiate certificates - Still cant see the SSL in ISA
4) IIS seems unable to import my previous valid 3rd Party generated SSL certificate.
 
After pretty much every SSL change I have rebooted the server ...
 
My questions therefore are these:
Why can ISA not see an SSL certificate when IIS can?
By a process of elimination, I think that the only way to get this to work is to generate and purchase an entirely new SSL certificate, is this correct?
 
thanks
Paul
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1771
7/21/2008 10:43 AM  
hi paul,

just confirm you are looking at the personal 'computer' store.

also, are you 100% you have the private key for the cert - this will be in the form of a .pfx file not a .cer-

ISA requires the private key to have the cert installed on a web listener.
Paul Smith User is Offline
Tadley UK
Member since
4/20/2005

Registered Users
Posts: 297
7/21/2008 10:49 AM  
Hi Robert
Ok yes I am looking into the Personal Computer Store on the SBS Server (for Computer Account).

As regards the private Key, this I am less certain about. What I got from Comodo (InstantSSL) were 3 *.crt files. I do not seem to have a private key PFX file. Nor do I recall having one before. Its most likely that this is my problem.

So.... how do I get/create one? given what I have....

Thanks
Paul
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1771
7/21/2008 11:20 AM  
well this is where i am a little less than certain as well - if i remember correctly - when you request the certificate you generate a .CSR file, this is what you submit to the CA. they then reply with a CRT. This installs the cert on the website- you can then export the cert using the normal export wizard, and you should then have the option to export the private key as well , you can then save this as a PFX - which you can then reimport into the computers personal certificate store. Then that should make it selectable for your ISA web listener.......

Fingers crossed anyway!
Paul Smith User is Offline
Tadley UK
Member since
4/20/2005

Registered Users
Posts: 297
7/21/2008 11:37 AM  
The Crossed fingers are appreciated....

But I [think] I have discovered that I am stick in the mud, up a creek and my paddle has been stolen by Turtles.

Since you set me off down this track I think I have determined the following:
When you create a request (the CSR you refer to) it seems that SBS/IIS also at the same time generates a Key (& the CSR) that remains in "pending" status until you import the new certificate.

However it seems that what has happened in my case is that the Removal of ISA has also removed the public key. I have looked in the system registry but cant figure which bit of the SystemCertificates tree would contain my missing key.

I may be wrong but.... my guess is that whatever I do I can never import the 'old' SSL cert with out a previous exported PFK file, because the unique key generated at that time will never match that of a new request.

I think that at this point my only option is to go back to Comodo and see if they will allow me to re-issue the whole thing. In effect I need to start again. If I had explicitly Exported my Private/Public Key when I first installed the SSL Cert then I could indeed do what you are talking about. 20-20 Hindsight....

I might be wrong in my surmise, but I fear not. Any other thoughts before I throw myself on thier mercy?

Paul
robert pearman User is Offline
United Kingdom
Member since
2/23/2007

Platinum Membership
Posts: 1771
7/21/2008 12:02 PM  
maybe one....

do you still have the cert that was installed on iis before the isa meltdown - you may be able to re-export the cert using the wizard.

so lets say you had a backup of the certificate - we would install this back onto the default website.

Then go into the 'view ceritificate' option. Then to the details tab, and click copy to file.

This should start the export wizard, and as i said may give you the option of exporting the private key as well.

I would try that before going back to comodo.
Paul Smith User is Offline
Tadley UK
Member since
4/20/2005

Registered Users
Posts: 297
7/21/2008 12:15 PM  
Although I have the original Certificate (as well as the one that was re-sent) I seem to not have the ability to import it and be able to export it (with Key again). I have tried importing my 'new' and my 'old' SSL's both react the same.
 
I am pretty sure that I cant get round this. I found this on the Comodo Website:
 
I have accidentally deleted or lost my Private Key
Solution:
First check your backups and see if you can re-install the "private key".
If you don't know how to re-install the key from your backups, then contact your systems administrator.
Failing that, contact your web server software vendor for technical support.
The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a replacement CSR.

To re-submit a CSR please submit a ticket at http://support.comodo.com include the CSR, order number and reason for re-issue.
 
-----
I could restore a copy of the registry and wade through it, but I am not at all confident about finding all the parts I need. I think I will have to go through this process again.
 
Thanks for you help. I will let you know how I get on...
 
Paul
Paul Smith User is Offline
Tadley UK
Member since
4/20/2005

Registered Users
Posts: 297
7/21/2008 12:26 PM  
Yep just found this too...
-----------------------------------------------------------
To save your private key:
Go to: Certificates snap in in the MMC
Select Requests
Select All tasks
Select Export
We recommend that you make a note of your password and backup your key as these are known only to you, so if you loose them we can't help! A floppy diskette or other removable media is recommended for your backup files.

Related Articles: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=824
------------------------------------------------------------
All in all a cautionary tale ... oops!

Paul
Paul Smith User is Offline
Tadley UK
Member since
4/20/2005

Registered Users
Posts: 297
7/21/2008 06:38 PM  
OK just to let you know its all working now.

I spoke to Comodo TS:
1) I had to Remove my existing certificate in IIS,
2) Emailed support with my new CSR.
3) As advised I also Exported the Request Key too.
4) Installed [Imported] the returned SSL.

They did the Free of Charge, my certificate has the same expiry date that it did before i.e. Nov 2009.

This means that ISA can now see the new certificate from the Web Listeners.

I have now saved my SSL Certs as PFK's thus in theory ensuring that I dont have to repeat this [painful] process.

Cheers,
Paul
You are not authorized to post a reply.
Forums > Microsoft Small Business Server 2003 & 2000 > ISA Server 2004 > ISA 2004 & SSL certificates


ActiveForums 3.7
Forum policy    
These Discussion Forums are dedicated to the discussion of the Small Business Server and related server and client software. For the benefit of the community please observe the following posting guidelines:
  1. No Advertising. This includes promotion of commercial products and non-commercial products which are not directly related to Small Business Server and related server and client software.
  2. No Flaming or Trolling.
  3. No Profanity, Racism, or Prejudice.
  4. Site Moderators have the final word on approving/removing a thread or post or comment.
Copyright 2002-2008 Concentrix b.v.    :   Page generated in 0.3906275 seconds.   :   Terms Of Use   :   Privacy Statement