Jump to content

How to install 3rd party SSL domain ceritificate on local servers

Guest Library Sysadmin

By Guest Library Sysadmin
in Windows 2003 Server

 Share

Recommended Posts

Guest Library Sysadmin

Guest Library Sysadmin

Posted
Posted

Windows 2003 R2 servers. Domain name is in a form such as mydomain.local

We have Certificate Authority installed on a server and have been issuing

self-signed certificates for a few services, such as OWA.

 

Our web site is outsourced to a web hosting company. Registered domain is

in a form such as mycompany.org. They have purchased a 3rd party domain

certificate for use with the site.

 

I want to install the domain certificate for use with a couple of services,

such as Exchange 2007 services and VPNs. The web hosting company sent me two

files, domain.crt and domain.key.

 

Being a domain certificate, I guess I thought it would just be a certificate

I could import on the various servers that was valid for any server name or

type of service. I didn't think this would work, but I tried setting up a

test web site and imported this .crt certificate (not sure what to do with

the .key file). The site can't be accessed on the secure port.

 

I've searched the web for some kind of documentation on how to use these 3rd

party certifcates, but have only managed to confuse myself even more about

what the .crt and .key files are and how to use them.

 

Is there a method of using the 3rd party domain certificates with the local

ones at the same time? How do you import the 3rd party domain .crt and .key

files with IIS 6, Exchange 2007 or VPNs?

 

Any help would be appreciated.

TIA

 

Rick

  • Replies 7
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Anthony [MVP]

Guest Anthony [MVP]

Posted
Posted

Re: How to install 3rd party SSL domain ceritificate on local servers

 

You will need to use IIS to generate a certificate request on your server;

then send that request to the CA (like Verisign or Thawte). They will send

you a certificate that you will save back in IIS. For example:

https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1

 

You might ask the web hosting company what keys they have sent you, but it

sounds like it may be a misunderstanding. The key for the web site will be

different from the key you use for your own server(s),

Anthony,

http://www.airdesk.co.uk

 

 

 

"Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in

message news:1B2BAC81-1DED-43A5-A9D2-CDFF5B77D21A@microsoft.com...

> Windows 2003 R2 servers. Domain name is in a form such as mydomain.local

> We have Certificate Authority installed on a server and have been issuing

> self-signed certificates for a few services, such as OWA.

>

> Our web site is outsourced to a web hosting company. Registered domain is

> in a form such as mycompany.org. They have purchased a 3rd party domain

> certificate for use with the site.

>

> I want to install the domain certificate for use with a couple of

> services,

> such as Exchange 2007 services and VPNs. The web hosting company sent me

> two

> files, domain.crt and domain.key.

>

> Being a domain certificate, I guess I thought it would just be a

> certificate

> I could import on the various servers that was valid for any server name

> or

> type of service. I didn't think this would work, but I tried setting up a

> test web site and imported this .crt certificate (not sure what to do with

> the .key file). The site can't be accessed on the secure port.

>

> I've searched the web for some kind of documentation on how to use these

> 3rd

> party certifcates, but have only managed to confuse myself even more about

> what the .crt and .key files are and how to use them.

>

> Is there a method of using the 3rd party domain certificates with the

> local

> ones at the same time? How do you import the 3rd party domain .crt and

> .key

> files with IIS 6, Exchange 2007 or VPNs?

>

> Any help would be appreciated.

> TIA

>

> Rick

Guest Library Sysadmin

Guest Library Sysadmin

Posted
Posted

Re: How to install 3rd party SSL domain ceritificate on local serv

 

Re: How to install 3rd party SSL domain ceritificate on local serv

 

Anthony,

 

Thanks for the response.

The web hosting company purchased the certificate from Thawte and provided

us with the certificate(s?) that came as .crt and .key files.

 

However, I cannot load the .crt file anywhere on our servers and get it to

work, nor do I find anything relating to the .key file and what to do with

it. I've tried following Thawte and MS support on this link:

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5d0fb4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true

 

These procedures fail on the first step, as I cannot install the certificate

in response to a request, nor can I assign it and get it to function.

 

Rick

 

"Anthony [MVP]" wrote:

> You will need to use IIS to generate a certificate request on your server;

> then send that request to the CA (like Verisign or Thawte). They will send

> you a certificate that you will save back in IIS. For example:

> https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1

>

> You might ask the web hosting company what keys they have sent you, but it

> sounds like it may be a misunderstanding. The key for the web site will be

> different from the key you use for your own server(s),

> Anthony,

> http://www.airdesk.co.uk

>

Guest Anthony [MVP]

Guest Anthony [MVP]

Posted
Posted

Re: How to install 3rd party SSL domain ceritificate on local serv

 

Re: How to install 3rd party SSL domain ceritificate on local serv

 

The basic process for what you want to do is that you need to generate a

certificate request on your server and send it to Thawte. The web hosting

company are not involved except perhaps as a reseller.

Assuming that they are reselling you a Thawte certificate, you should

probably ask them what they have done and what you are supposed to so with

it. It is possible that this is OK. You can import the private key and then

use the .crt file: http://www.digicert.com/wildcard-export-import.htm

But you should ask them what they have done. None of this is necessary if

you generate a request and obtain a certificate from Thawte yourself,

Anthony,

http://www.airdesk.com

 

 

 

"Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in

message news:B43E00E0-1990-47A2-B460-2139C97BFF53@microsoft.com...

> Anthony,

>

> Thanks for the response.

> The web hosting company purchased the certificate from Thawte and provided

> us with the certificate(s?) that came as .crt and .key files.

>

> However, I cannot load the .crt file anywhere on our servers and get it to

> work, nor do I find anything relating to the .key file and what to do with

> it. I've tried following Thawte and MS support on this link:

> http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5d0fb4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true

>

> These procedures fail on the first step, as I cannot install the

> certificate

> in response to a request, nor can I assign it and get it to function.

>

> Rick

>

> "Anthony [MVP]" wrote:

>

>> You will need to use IIS to generate a certificate request on your

>> server;

>> then send that request to the CA (like Verisign or Thawte). They will

>> send

>> you a certificate that you will save back in IIS. For example:

>> https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1

>>

>> You might ask the web hosting company what keys they have sent you, but

>> it

>> sounds like it may be a misunderstanding. The key for the web site will

>> be

>> different from the key you use for your own server(s),

>> Anthony,

>> http://www.airdesk.co.uk

>>

>

Guest Larry Heimendinger

Guest Larry Heimendinger

Posted
Posted

Re: How to install 3rd party SSL domain ceritificate on local serv

 

Re: How to install 3rd party SSL domain ceritificate on local serv

 

For IIS use, the certificate has to be installed on the virtual directory.

You can use IIS manager to do this. On the virtual directory you want to use

with the certificate, open properties then directory security and click the

server certificate button which will start the wizard. Choose the import

option and point to your certificate.

 

Once it is imported, view the certificate to see if the trust goes all the

way to the issuer. If it doesn't you will probably have to install the

certificate intermediate files on the server as well. You may also have to

install the certificate in the personal certificates.

 

Start MMC then add certificates using local account for the server computer

and expand personal. If you see a personal certificates folder, see if the

certificate is installed. If not, import it. If there is no sub folder,

just import it and the subfolder will be created.

 

Check for intermediate and trusted issuers by expanding those folders. You

may have to grab another set of files from the issuer for intermediate

trusting.

 

Once that is all done, you should be set for the web stuff. Make sure your

exchange virtual directories are part of the directory that got the

certificate, such as default web site. Realize that it will apply to the

whole directory structure.

 

For VPN and remote access, you should be able to select the certificate once

it is properly installed on the machine. For example, if you are using ISA,

adding the certificate to the listener is done by clicking on certificate and

seeing it appear in the list.

 

Hope this helps.

Guest Library Sysadmin

Guest Library Sysadmin

Posted
Posted

Re: How to install 3rd party SSL domain ceritificate on local serv

 

Re: How to install 3rd party SSL domain ceritificate on local serv

 

Anthony,

 

This would be considered the "reseller" situation, I believe, and I do have

an inquiry open to the web hosting company. However, even if I had sent the

request to Thawte myself, wouldn't the .crt and .key files be the same ones

they returend to me (as opposed to being sent to the web hosting company)?

 

If so, I'm left at my original question. How do I install these?

 

The procedures I've read in the Technet or MS articles, or have been posted

in repsonses, are the very ones that do not work with these files. The

domain (or wildcard) certificates are not recogized by the IIS process as

being valid in response to a certificate request. When just performing an

"existing certificate assignment", they are loaded but secure connection fail

to these sites, or Exchange or VPNs.

 

Rick

 

"Anthony [MVP]" wrote:

> The basic process for what you want to do is that you need to generate a

> certificate request on your server and send it to Thawte. The web hosting

> company are not involved except perhaps as a reseller.

> Assuming that they are reselling you a Thawte certificate, you should

> probably ask them what they have done and what you are supposed to so with

> it. It is possible that this is OK. You can import the private key and then

> use the .crt file: http://www.digicert.com/wildcard-export-import.htm

> But you should ask them what they have done. None of this is necessary if

> you generate a request and obtain a certificate from Thawte yourself,

> Anthony,

> http://www.airdesk.com

>

>

>

> "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in

> message news:B43E00E0-1990-47A2-B460-2139C97BFF53@microsoft.com...

> > Anthony,

> >

> > Thanks for the response.

> > The web hosting company purchased the certificate from Thawte and provided

> > us with the certificate(s?) that came as .crt and .key files.

> >

> > However, I cannot load the .crt file anywhere on our servers and get it to

> > work, nor do I find anything relating to the .key file and what to do with

> > it. I've tried following Thawte and MS support on this link:

> > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5d0fb4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true

> >

> > These procedures fail on the first step, as I cannot install the

> > certificate

> > in response to a request, nor can I assign it and get it to function.

> >

> > Rick

> >

> > "Anthony [MVP]" wrote:

> >

> >> You will need to use IIS to generate a certificate request on your

> >> server;

> >> then send that request to the CA (like Verisign or Thawte). They will

> >> send

> >> you a certificate that you will save back in IIS. For example:

> >> https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1

> >>

> >> You might ask the web hosting company what keys they have sent you, but

> >> it

> >> sounds like it may be a misunderstanding. The key for the web site will

> >> be

> >> different from the key you use for your own server(s),

> >> Anthony,

> >> http://www.airdesk.co.uk

> >>

> >

>

>

>

Guest Anthony [MVP]

Guest Anthony [MVP]

Posted
Posted

Re: How to install 3rd party SSL domain ceritificate on local serv

 

Re: How to install 3rd party SSL domain ceritificate on local serv

 

Rick,

If you had generated the request in IIS, you would get back a block of text

from the CA that you save as a single .cer file. Then in IIS you would just

browse to the .cer file to match it up with the request. The .cer has to

match up with the key generated by the request. Even going through a

reseller, you generate a request, give them the .csr, then receive a .cer

(or a block of text to save as a .cer file).

It sounds to me as though the web hosting company have generated an Apache

key pair for you. This process gives you a .key (RSA private key) file and a

..crt (certificate) file. You need to resolve this with the hosting company,

Anthony,

http://www.airdesk.co.uk

 

 

"Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in

message news:DAA52B3C-EEDC-43AB-B18E-03C3C87CAE7B@microsoft.com...

> Anthony,

>

> This would be considered the "reseller" situation, I believe, and I do

> have

> an inquiry open to the web hosting company. However, even if I had sent

> the

> request to Thawte myself, wouldn't the .crt and .key files be the same

> ones

> they returend to me (as opposed to being sent to the web hosting company)?

>

> If so, I'm left at my original question. How do I install these?

>

> The procedures I've read in the Technet or MS articles, or have been

> posted

> in repsonses, are the very ones that do not work with these files. The

> domain (or wildcard) certificates are not recogized by the IIS process as

> being valid in response to a certificate request. When just performing an

> "existing certificate assignment", they are loaded but secure connection

> fail

> to these sites, or Exchange or VPNs.

>

> Rick

>

> "Anthony [MVP]" wrote:

>

>> The basic process for what you want to do is that you need to generate a

>> certificate request on your server and send it to Thawte. The web hosting

>> company are not involved except perhaps as a reseller.

>> Assuming that they are reselling you a Thawte certificate, you should

>> probably ask them what they have done and what you are supposed to so

>> with

>> it. It is possible that this is OK. You can import the private key and

>> then

>> use the .crt file: http://www.digicert.com/wildcard-export-import.htm

>> But you should ask them what they have done. None of this is necessary if

>> you generate a request and obtain a certificate from Thawte yourself,

>> Anthony,

>> http://www.airdesk.com

>>

>>

>>

>> "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in

>> message news:B43E00E0-1990-47A2-B460-2139C97BFF53@microsoft.com...

>> > Anthony,

>> >

>> > Thanks for the response.

>> > The web hosting company purchased the certificate from Thawte and

>> > provided

>> > us with the certificate(s?) that came as .crt and .key files.

>> >

>> > However, I cannot load the .crt file anywhere on our servers and get it

>> > to

>> > work, nor do I find anything relating to the .key file and what to do

>> > with

>> > it. I've tried following Thawte and MS support on this link:

>> > http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/5d0fb4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true

>> >

>> > These procedures fail on the first step, as I cannot install the

>> > certificate

>> > in response to a request, nor can I assign it and get it to function.

>> >

>> > Rick

>> >

>> > "Anthony [MVP]" wrote:

>> >

>> >> You will need to use IIS to generate a certificate request on your

>> >> server;

>> >> then send that request to the CA (like Verisign or Thawte). They will

>> >> send

>> >> you a certificate that you will save back in IIS. For example:

>> >> https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1

>> >>

>> >> You might ask the web hosting company what keys they have sent you,

>> >> but

>> >> it

>> >> sounds like it may be a misunderstanding. The key for the web site

>> >> will

>> >> be

>> >> different from the key you use for your own server(s),

>> >> Anthony,

>> >> http://www.airdesk.co.uk

>> >>

>> >

>>

>>

>>

Guest Library Sysadmin

Guest Library Sysadmin

Posted
Posted

Re: How to install 3rd party SSL domain ceritificate on local serv

 

Re: How to install 3rd party SSL domain ceritificate on local serv

 

Larry,

 

Thanks for the response.

> For IIS use, the certificate has to be installed on the virtual directory.

> You can use IIS manager to do this. On the virtual directory you want to use

> with the certificate, open properties then directory security and click the

> server certificate button which will start the wizard. Choose the import

> option and point to your certificate.

>

 

I cannot create a new request and install the domain certificate. I get

this message: The pending certificate request for this response file was not

found. This request may be canceled. You cannot install selected response

certificate using this Wizard.

 

If I try to use the Assign existing certificate method, after importing it

and setting the site to use this cert, IE will not render the page when using

the secure socket.

> Once it is imported, view the certificate to see if the trust goes all the

> way to the issuer. If it doesn't you will probably have to install the

> certificate intermediate files on the server as well. You may also have to

> install the certificate in the personal certificates.

>

> Start MMC then add certificates using local account for the server computer

> and expand personal. If you see a personal certificates folder, see if the

> certificate is installed. If not, import it. If there is no sub folder,

> just import it and the subfolder will be created.

>

 

With the certificate imported to the server in both the Personal and Trusted

3rd Party Certificates stores, I open the Certificates MMC. It displays the

issuer as Thawte, so this should be correct.

> Check for intermediate and trusted issuers by expanding those folders. You

> may have to grab another set of files from the issuer for intermediate

> trusting.

>

 

Still in MMC, the .crt file does import successfully into the Intermediate

CA Certificates store.

> Once that is all done, you should be set for the web stuff. Make sure your

> exchange virtual directories are part of the directory that got the

> certificate, such as default web site. Realize that it will apply to the

> whole directory structure.

>

 

Set up the web site using the Assign existing certificate method and it does

not render the page in a browser on the secure port. (443)

> For VPN and remote access, you should be able to select the certificate once

> it is properly installed on the machine. For example, if you are using ISA,

> adding the certificate to the listener is done by clicking on certificate and

> seeing it appear in the list.

>

> Hope this helps.

 Share
Go to topic listing
×
×
  • Create New...