Guest Library Sysadmin Posted July 26, 2008 Posted July 26, 2008 Windows 2003 R2 servers. Domain name is in a form such as mydomain.local We have Certificate Authority installed on a server and have been issuing self-signed certificates for a few services, such as OWA. Our web site is outsourced to a web hosting company. Registered domain is in a form such as mycompany.org. They have purchased a 3rd party domain certificate for use with the site. I want to install the domain certificate for use with a couple of services, such as Exchange 2007 services and VPNs. The web hosting company sent me two files, domain.crt and domain.key. Being a domain certificate, I guess I thought it would just be a certificate I could import on the various servers that was valid for any server name or type of service. I didn't think this would work, but I tried setting up a test web site and imported this .crt certificate (not sure what to do with the .key file). The site can't be accessed on the secure port. I've searched the web for some kind of documentation on how to use these 3rd party certifcates, but have only managed to confuse myself even more about what the .crt and .key files are and how to use them. Is there a method of using the 3rd party domain certificates with the local ones at the same time? How do you import the 3rd party domain .crt and .key files with IIS 6, Exchange 2007 or VPNs? Any help would be appreciated. TIA Rick
Guest Anthony [MVP] Posted July 27, 2008 Posted July 27, 2008 Re: How to install 3rd party SSL domain ceritificate on local servers You will need to use IIS to generate a certificate request on your server; then send that request to the CA (like Verisign or Thawte). They will send you a certificate that you will save back in IIS. For example: https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1 You might ask the web hosting company what keys they have sent you, but it sounds like it may be a misunderstanding. The key for the web site will be different from the key you use for your own server(s), Anthony, http://www.airdesk.co.uk "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in message news:1B2BAC81-1DED-43A5-A9D2-CDFF5B77D21A@microsoft.com... > Windows 2003 R2 servers. Domain name is in a form such as mydomain.local > We have Certificate Authority installed on a server and have been issuing > self-signed certificates for a few services, such as OWA. > > Our web site is outsourced to a web hosting company. Registered domain is > in a form such as mycompany.org. They have purchased a 3rd party domain > certificate for use with the site. > > I want to install the domain certificate for use with a couple of > services, > such as Exchange 2007 services and VPNs. The web hosting company sent me > two > files, domain.crt and domain.key. > > Being a domain certificate, I guess I thought it would just be a > certificate > I could import on the various servers that was valid for any server name > or > type of service. I didn't think this would work, but I tried setting up a > test web site and imported this .crt certificate (not sure what to do with > the .key file). The site can't be accessed on the secure port. > > I've searched the web for some kind of documentation on how to use these > 3rd > party certifcates, but have only managed to confuse myself even more about > what the .crt and .key files are and how to use them. > > Is there a method of using the 3rd party domain certificates with the > local > ones at the same time? How do you import the 3rd party domain .crt and > .key > files with IIS 6, Exchange 2007 or VPNs? > > Any help would be appreciated. > TIA > > Rick
Guest Library Sysadmin Posted July 27, 2008 Posted July 27, 2008 Re: How to install 3rd party SSL domain ceritificate on local serv Re: How to install 3rd party SSL domain ceritificate on local serv Anthony, Thanks for the response. The web hosting company purchased the certificate from Thawte and provided us with the certificate(s?) that came as .crt and .key files. However, I cannot load the .crt file anywhere on our servers and get it to work, nor do I find anything relating to the .key file and what to do with it. I've tried following Thawte and MS support on this link: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5d0fb4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true These procedures fail on the first step, as I cannot install the certificate in response to a request, nor can I assign it and get it to function. Rick "Anthony [MVP]" wrote: > You will need to use IIS to generate a certificate request on your server; > then send that request to the CA (like Verisign or Thawte). They will send > you a certificate that you will save back in IIS. For example: > https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1 > > You might ask the web hosting company what keys they have sent you, but it > sounds like it may be a misunderstanding. The key for the web site will be > different from the key you use for your own server(s), > Anthony, > http://www.airdesk.co.uk >
Guest Anthony [MVP] Posted July 27, 2008 Posted July 27, 2008 Re: How to install 3rd party SSL domain ceritificate on local serv Re: How to install 3rd party SSL domain ceritificate on local serv The basic process for what you want to do is that you need to generate a certificate request on your server and send it to Thawte. The web hosting company are not involved except perhaps as a reseller. Assuming that they are reselling you a Thawte certificate, you should probably ask them what they have done and what you are supposed to so with it. It is possible that this is OK. You can import the private key and then use the .crt file: http://www.digicert.com/wildcard-export-import.htm But you should ask them what they have done. None of this is necessary if you generate a request and obtain a certificate from Thawte yourself, Anthony, http://www.airdesk.com "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in message news:B43E00E0-1990-47A2-B460-2139C97BFF53@microsoft.com... > Anthony, > > Thanks for the response. > The web hosting company purchased the certificate from Thawte and provided > us with the certificate(s?) that came as .crt and .key files. > > However, I cannot load the .crt file anywhere on our servers and get it to > work, nor do I find anything relating to the .key file and what to do with > it. I've tried following Thawte and MS support on this link: > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5d0fb4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true > > These procedures fail on the first step, as I cannot install the > certificate > in response to a request, nor can I assign it and get it to function. > > Rick > > "Anthony [MVP]" wrote: > >> You will need to use IIS to generate a certificate request on your >> server; >> then send that request to the CA (like Verisign or Thawte). They will >> send >> you a certificate that you will save back in IIS. For example: >> https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1 >> >> You might ask the web hosting company what keys they have sent you, but >> it >> sounds like it may be a misunderstanding. The key for the web site will >> be >> different from the key you use for your own server(s), >> Anthony, >> http://www.airdesk.co.uk >> >
Guest Larry Heimendinger Posted July 28, 2008 Posted July 28, 2008 Re: How to install 3rd party SSL domain ceritificate on local serv Re: How to install 3rd party SSL domain ceritificate on local serv For IIS use, the certificate has to be installed on the virtual directory. You can use IIS manager to do this. On the virtual directory you want to use with the certificate, open properties then directory security and click the server certificate button which will start the wizard. Choose the import option and point to your certificate. Once it is imported, view the certificate to see if the trust goes all the way to the issuer. If it doesn't you will probably have to install the certificate intermediate files on the server as well. You may also have to install the certificate in the personal certificates. Start MMC then add certificates using local account for the server computer and expand personal. If you see a personal certificates folder, see if the certificate is installed. If not, import it. If there is no sub folder, just import it and the subfolder will be created. Check for intermediate and trusted issuers by expanding those folders. You may have to grab another set of files from the issuer for intermediate trusting. Once that is all done, you should be set for the web stuff. Make sure your exchange virtual directories are part of the directory that got the certificate, such as default web site. Realize that it will apply to the whole directory structure. For VPN and remote access, you should be able to select the certificate once it is properly installed on the machine. For example, if you are using ISA, adding the certificate to the listener is done by clicking on certificate and seeing it appear in the list. Hope this helps.
Guest Library Sysadmin Posted July 28, 2008 Posted July 28, 2008 Re: How to install 3rd party SSL domain ceritificate on local serv Re: How to install 3rd party SSL domain ceritificate on local serv Anthony, This would be considered the "reseller" situation, I believe, and I do have an inquiry open to the web hosting company. However, even if I had sent the request to Thawte myself, wouldn't the .crt and .key files be the same ones they returend to me (as opposed to being sent to the web hosting company)? If so, I'm left at my original question. How do I install these? The procedures I've read in the Technet or MS articles, or have been posted in repsonses, are the very ones that do not work with these files. The domain (or wildcard) certificates are not recogized by the IIS process as being valid in response to a certificate request. When just performing an "existing certificate assignment", they are loaded but secure connection fail to these sites, or Exchange or VPNs. Rick "Anthony [MVP]" wrote: > The basic process for what you want to do is that you need to generate a > certificate request on your server and send it to Thawte. The web hosting > company are not involved except perhaps as a reseller. > Assuming that they are reselling you a Thawte certificate, you should > probably ask them what they have done and what you are supposed to so with > it. It is possible that this is OK. You can import the private key and then > use the .crt file: http://www.digicert.com/wildcard-export-import.htm > But you should ask them what they have done. None of this is necessary if > you generate a request and obtain a certificate from Thawte yourself, > Anthony, > http://www.airdesk.com > > > > "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in > message news:B43E00E0-1990-47A2-B460-2139C97BFF53@microsoft.com... > > Anthony, > > > > Thanks for the response. > > The web hosting company purchased the certificate from Thawte and provided > > us with the certificate(s?) that came as .crt and .key files. > > > > However, I cannot load the .crt file anywhere on our servers and get it to > > work, nor do I find anything relating to the .key file and what to do with > > it. I've tried following Thawte and MS support on this link: > > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5d0fb4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true > > > > These procedures fail on the first step, as I cannot install the > > certificate > > in response to a request, nor can I assign it and get it to function. > > > > Rick > > > > "Anthony [MVP]" wrote: > > > >> You will need to use IIS to generate a certificate request on your > >> server; > >> then send that request to the CA (like Verisign or Thawte). They will > >> send > >> you a certificate that you will save back in IIS. For example: > >> https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1 > >> > >> You might ask the web hosting company what keys they have sent you, but > >> it > >> sounds like it may be a misunderstanding. The key for the web site will > >> be > >> different from the key you use for your own server(s), > >> Anthony, > >> http://www.airdesk.co.uk > >> > > > > >
Guest Anthony [MVP] Posted July 28, 2008 Posted July 28, 2008 Re: How to install 3rd party SSL domain ceritificate on local serv Re: How to install 3rd party SSL domain ceritificate on local serv Rick, If you had generated the request in IIS, you would get back a block of text from the CA that you save as a single .cer file. Then in IIS you would just browse to the .cer file to match it up with the request. The .cer has to match up with the key generated by the request. Even going through a reseller, you generate a request, give them the .csr, then receive a .cer (or a block of text to save as a .cer file). It sounds to me as though the web hosting company have generated an Apache key pair for you. This process gives you a .key (RSA private key) file and a ..crt (certificate) file. You need to resolve this with the hosting company, Anthony, http://www.airdesk.co.uk "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in message news:DAA52B3C-EEDC-43AB-B18E-03C3C87CAE7B@microsoft.com... > Anthony, > > This would be considered the "reseller" situation, I believe, and I do > have > an inquiry open to the web hosting company. However, even if I had sent > the > request to Thawte myself, wouldn't the .crt and .key files be the same > ones > they returend to me (as opposed to being sent to the web hosting company)? > > If so, I'm left at my original question. How do I install these? > > The procedures I've read in the Technet or MS articles, or have been > posted > in repsonses, are the very ones that do not work with these files. The > domain (or wildcard) certificates are not recogized by the IIS process as > being valid in response to a certificate request. When just performing an > "existing certificate assignment", they are loaded but secure connection > fail > to these sites, or Exchange or VPNs. > > Rick > > "Anthony [MVP]" wrote: > >> The basic process for what you want to do is that you need to generate a >> certificate request on your server and send it to Thawte. The web hosting >> company are not involved except perhaps as a reseller. >> Assuming that they are reselling you a Thawte certificate, you should >> probably ask them what they have done and what you are supposed to so >> with >> it. It is possible that this is OK. You can import the private key and >> then >> use the .crt file: http://www.digicert.com/wildcard-export-import.htm >> But you should ask them what they have done. None of this is necessary if >> you generate a request and obtain a certificate from Thawte yourself, >> Anthony, >> http://www.airdesk.com >> >> >> >> "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in >> message news:B43E00E0-1990-47A2-B460-2139C97BFF53@microsoft.com... >> > Anthony, >> > >> > Thanks for the response. >> > The web hosting company purchased the certificate from Thawte and >> > provided >> > us with the certificate(s?) that came as .crt and .key files. >> > >> > However, I cannot load the .crt file anywhere on our servers and get it >> > to >> > work, nor do I find anything relating to the .key file and what to do >> > with >> > it. I've tried following Thawte and MS support on this link: >> > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5d0fb4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true >> > >> > These procedures fail on the first step, as I cannot install the >> > certificate >> > in response to a request, nor can I assign it and get it to function. >> > >> > Rick >> > >> > "Anthony [MVP]" wrote: >> > >> >> You will need to use IIS to generate a certificate request on your >> >> server; >> >> then send that request to the CA (like Verisign or Thawte). They will >> >> send >> >> you a certificate that you will save back in IIS. For example: >> >> https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1 >> >> >> >> You might ask the web hosting company what keys they have sent you, >> >> but >> >> it >> >> sounds like it may be a misunderstanding. The key for the web site >> >> will >> >> be >> >> different from the key you use for your own server(s), >> >> Anthony, >> >> http://www.airdesk.co.uk >> >> >> > >> >> >>
Guest Library Sysadmin Posted July 28, 2008 Posted July 28, 2008 Re: How to install 3rd party SSL domain ceritificate on local serv Re: How to install 3rd party SSL domain ceritificate on local serv Larry, Thanks for the response. > For IIS use, the certificate has to be installed on the virtual directory. > You can use IIS manager to do this. On the virtual directory you want to use > with the certificate, open properties then directory security and click the > server certificate button which will start the wizard. Choose the import > option and point to your certificate. > I cannot create a new request and install the domain certificate. I get this message: The pending certificate request for this response file was not found. This request may be canceled. You cannot install selected response certificate using this Wizard. If I try to use the Assign existing certificate method, after importing it and setting the site to use this cert, IE will not render the page when using the secure socket. > Once it is imported, view the certificate to see if the trust goes all the > way to the issuer. If it doesn't you will probably have to install the > certificate intermediate files on the server as well. You may also have to > install the certificate in the personal certificates. > > Start MMC then add certificates using local account for the server computer > and expand personal. If you see a personal certificates folder, see if the > certificate is installed. If not, import it. If there is no sub folder, > just import it and the subfolder will be created. > With the certificate imported to the server in both the Personal and Trusted 3rd Party Certificates stores, I open the Certificates MMC. It displays the issuer as Thawte, so this should be correct. > Check for intermediate and trusted issuers by expanding those folders. You > may have to grab another set of files from the issuer for intermediate > trusting. > Still in MMC, the .crt file does import successfully into the Intermediate CA Certificates store. > Once that is all done, you should be set for the web stuff. Make sure your > exchange virtual directories are part of the directory that got the > certificate, such as default web site. Realize that it will apply to the > whole directory structure. > Set up the web site using the Assign existing certificate method and it does not render the page in a browser on the secure port. (443) > For VPN and remote access, you should be able to select the certificate once > it is properly installed on the machine. For example, if you are using ISA, > adding the certificate to the listener is done by clicking on certificate and > seeing it appear in the list. > > Hope this helps.
Recommended Posts