SSL Certificates & Exchange 2010
Discussion
Right , I just had another crack at this and I stuck again !
I started from scratch this morning. Deleted the old keys and csr etc. Went to SSLTools Manager, generated a new CSR and saved the corresponding priv key into a txt file. Sent CSR to Xilo, received the email back with the new data.
1. I save the PEM data into notepad (including the ----begin / ----end bits) and save it as 'cert pem.cer'
2. I can see 1 pending cert request inside SSLTools. This must be looking at the priv key that was generated when I created the CSR. So I go to 'complete pending request' and it asks for a file, so I point it at 'cert pem.cer'. Error - cannot complete pending request'
3. OK so I try with the PKSC7 data. Copy it out of the email into notepad, save as 'cert pksc7.cer' and try to complete. Error - please use a valid certificate'
Loosing will to live again .....
I started from scratch this morning. Deleted the old keys and csr etc. Went to SSLTools Manager, generated a new CSR and saved the corresponding priv key into a txt file. Sent CSR to Xilo, received the email back with the new data.
1. I save the PEM data into notepad (including the ----begin / ----end bits) and save it as 'cert pem.cer'
2. I can see 1 pending cert request inside SSLTools. This must be looking at the priv key that was generated when I created the CSR. So I go to 'complete pending request' and it asks for a file, so I point it at 'cert pem.cer'. Error - cannot complete pending request'
3. OK so I try with the PKSC7 data. Copy it out of the email into notepad, save as 'cert pksc7.cer' and try to complete. Error - please use a valid certificate'
Loosing will to live again .....
Seems to me this is being made far more complicated than it should be.
Generate your CSR via the exchange management console.
There's no need to use any third party tools. Send your CSR off, get your info back.
f
k the PEM cert off, use the PKCS7.
Split your file into 3 certificates (including the begin / end tags and all the hyphens):
1) Your domain/wildcard SSL (from section Signed Certificate (PKCS7 Format)) - call it <domain>.cer
2) Your intermediate certificate (from section Bundle Certificate (Intermediate)) - call it intermediate.cer
3) Root certificate (from section Root Certificate (CA)) - call it root.cer
Open MMC, add the certificate snap in for the COMPUTER (local computer), not the user.
Import root.cer into Trusted Root Certification Authorities.
Import intermediate.cer into Intermediate Certification Authorities.
Open exchange management console, go to server configuration and complete your request using <domain>.cer.
Allocate it for whatever use your require.
Job, should be, a good'un.
Generate your CSR via the exchange management console.
There's no need to use any third party tools. Send your CSR off, get your info back.
f
k the PEM cert off, use the PKCS7.Split your file into 3 certificates (including the begin / end tags and all the hyphens):
1) Your domain/wildcard SSL (from section Signed Certificate (PKCS7 Format)) - call it <domain>.cer
2) Your intermediate certificate (from section Bundle Certificate (Intermediate)) - call it intermediate.cer
3) Root certificate (from section Root Certificate (CA)) - call it root.cer
Open MMC, add the certificate snap in for the COMPUTER (local computer), not the user.
Import root.cer into Trusted Root Certification Authorities.
Import intermediate.cer into Intermediate Certification Authorities.
Open exchange management console, go to server configuration and complete your request using <domain>.cer.
Allocate it for whatever use your require.
Job, should be, a good'un.
Nyphur said:
Seems to me this is being made far more complicated than it should be.
Generate your CSR via the exchange management console.
There's no need to use any third party tools. Send your CSR off, get your info back.
As described in the OP, Exchange 2010 wildcard CSR creation makes the CN: *.domain.com. Xilo cant accept the '*' in the CN. So I cant use the MS wizard.Generate your CSR via the exchange management console.
There's no need to use any third party tools. Send your CSR off, get your info back.
If I had used any other CA reseller, I presume it would be as simple as you suggest.
I'd be inclined to bin and use a proper CA as it sounds as though you are being fobbed off. A request for a wildcard certificate should be based on a name of *.domain irrespective of whether you use IIS, Exchange Management console, your SSL Toolbox thingee, OpenSSL or anything else to generate the CSR. If the CA's sytem won't accept such a request, and they can't/won't help in any way, scrap and move on. I do this all the time and with the methods/instructions provided to you, this should have taken all of 5 minutes.
Edited by theboss on Tuesday 23 September 09:51
Chimune said:
As described in the OP, Exchange 2010 wildcard CSR creation makes the CN: *.domain.com. Xilo cant accept the '*' in the CN. So I cant use the MS wizard.
If I had used any other CA reseller, I presume it would be as simple as you suggest.
Then you haven't got a wildcard SSL. If I had used any other CA reseller, I presume it would be as simple as you suggest.
As above cut your losses and stump up with GoDaddy
Nyphur said:
In fact, follow my steps above and try to complete the CSR using your third party tool instead of EMC.
I see no reason why you shouldn't expect that to work (remember, don't use PEM). If that still fails, GoDaddy
I'm cracking on at it again now using this:I see no reason why you shouldn't expect that to work (remember, don't use PEM). If that still fails, GoDaddy
www.trustico.co.uk/ssltools/convert/pem-to-pkcs12/...
to merge the cert, intermediate and priv keys. Looks ok so far.
Now I need to figure out how I import the PKCS12 file into Exchange 2010, and after that how I use Exch Shell to import, complete and assign the services, or if something will appear in the Man Console.
Chimune said:
Looks like just using the gui>import cert worked ok (except the cert has no name in the console !). Assigned services to it ok too. ...
Sounds promising... can you point a browser at the HTTPS listener?You can add a friendly name and re-export as PXF / re-import -
http://rickardrobin.wordpress.com/2012/12/05/speci...
If you do this:
when exporting, include the private key and all the certificates in the certificate path.
when importing, mark as exportable
Pointing browser at the HTTPS listener results in IIS8 holding page which I have never seen before, but no cert warning so that's progress !
Am going to export / backup and re-import the key as per your link too.
I am slightly uneasy about having posted my priv key into a web page (even if its run by a CA). is this ok ?
Am going to export / backup and re-import the key as per your link too.
I am slightly uneasy about having posted my priv key into a web page (even if its run by a CA). is this ok ?
Chimune said:
Pointing browser at the HTTPS listener results in IIS8 holding page which I have never seen before, but no cert warning so that's progress !
Am going to export / backup and re-import the key as per your link too.
I am slightly uneasy about having posted my priv key into a web page (even if its run by a CA). is this ok ?
You should safeguard the private key - so you are right to be concerned about having pasted it in a third party website - but the probability of this coming to bite you is low. Trustico are a reseller of certificates not a signing authority themselves (AFAIK).Am going to export / backup and re-import the key as per your link too.
I am slightly uneasy about having posted my priv key into a web page (even if its run by a CA). is this ok ?
If you are concerned about this, you'll have to create a new CSR / private key pair and repeat the process without using the third party. If you do, try using OpenSSL as the commands to generate a CSR and perform PEM+key to PKCS#12 conversion are well documented online.
Chimune said:
I'm cracking on at it again now using this:
www.trustico.co.uk/ssltools/convert/pem-to-pkcs12/...
to merge the cert, intermediate and priv keys. Looks ok so far.
Now I need to figure out how I import the PKCS12 file into Exchange 2010, and after that how I use Exch Shell to import, complete and assign the services, or if something will appear in the Man Console.
You do like making things complicated for yourself don't you? www.trustico.co.uk/ssltools/convert/pem-to-pkcs12/...
to merge the cert, intermediate and priv keys. Looks ok so far.
Now I need to figure out how I import the PKCS12 file into Exchange 2010, and after that how I use Exch Shell to import, complete and assign the services, or if something will appear in the Man Console.
Glad it seems to be sorted....
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff