Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Cannot see certificate in web listener
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Cannot see certificate in web listener - 2.Aug.2006 6:12:01 PM
|
|
|
mdennis
Posts: 5
Joined: 23.Sep.2002
Status: offline
|
Hi Guys
I am running ISA 2004 Std Ed. on Windows 2003 Server (SP1, fully patched) and have run into a problem. I am trying to add a new certificate to my published OWA website, more like to the web listener I am using to publish my OWA site. I have imported the site cert successfully and can see the certificate on my ISA server in the Personal folder under certificates and I have also imported the CA root cert to my Trusted Cert folder. My issue is that when I go to change my web listener or try and create a new web listener and select the certificate, I cannot see the certificate that I have already imported and confirmed by viewing the certficate. My old certificate that I want to replace is the only certificate that is displayed. Has anyone seen this before and if so how did you resolve it? or has anyone got any thoughts on this matter.
Thanks
Mike
|
|
|
|
|
RE: Cannot see certificate in web listener - 2.Aug.2006 8:19:39 PM
|
|
|
Mwaters31
Posts: 39
Joined: 19.Oct.2005
From: Edmonds, Wa
Status: offline
|
I remember this happening to me awhile back. I think either rebooting the ISA or stop/start the services cleared it up for me.
Mike W.
|
|
|
|
|
RE: Cannot see certificate in web listener - 2.Aug.2006 9:14:56 PM
|
|
|
mdennis
Posts: 5
Joined: 23.Sep.2002
Status: offline
|
Thanks Mike, I have already tried rebooting the server without success. That was the first thing that came to my mind too.
|
|
|
|
|
RE: Cannot see certificate in web listener - 15.Aug.2006 9:25:51 PM
|
|
|
rrhodes
Posts: 15
Joined: 31.Oct.2003
Status: offline
|
I am in the same boat as Mike....imported the certificate from a 3rd party, yet can not see the cert in the cert list when trying to create a web listener. I have search my ISA 2004 books and the internet with no luck on finding a solution. HELP!
Russ
< Message edited by rrhodes -- 15.Aug.2006 9:35:53 PM >
|
|
|
|
|
RE: Cannot see certificate in web listener - 17.Aug.2006 12:10:51 AM
|
|
|
C.Houseman
Posts: 29
Joined: 1.May2006
Status: offline
|
Just had the same trouble today. Certificate was provided by our webmaster as a .CER file, which seemed to import just fine. Despite a reboot, it's not available to assign to the listener.
But we can export a certificate from any old IIS server as a .PFX and import that, and it's available for ISA to use just fine.
So tomorrow we're going to see if the webmaster can export the cert to a .PFX file. The server in question is not IIS.
|
|
|
|
|
RE: Cannot see certificate in web listener - 17.Aug.2006 5:12:01 PM
|
|
|
rrhodes
Posts: 15
Joined: 31.Oct.2003
Status: offline
|
Over the 5 years that I have used an ISA firewall, I have found this forum to be of little help once a topic has had 1 or 2 replies. People seem to ignore the posts once replies have been given, despite the outcome of the replies. I sent a private message to C. Houseman (the poster above this one) and he chastized me for not using the forum to solve the problem. Despite his rudeness, here I am for another try.
Here is what I have done so far:
I am trying to create a secure web publishing rule to a SonicWall ssl-vpn 2000 device. The device allows for a certificate request, but since it is not an IIS device, I have not way to export a license, neither can I create an ssl cert with my Certificate Authority server. So I used the request to purchase a 3rd-party ssl cert. I have imported it into my ISA server. Yet when I go to create a web listener, the cert is not in the list to choose from. Based on my research, ISA prefers certs that have been exported from a web server with a private key. In my situation, I can not do that. So, has anyone else been down this road before? If so, how did you resolve this problem?
Russ
|
|
|
|
|
RE: Cannot see certificate in web listener - 17.Aug.2006 5:56:24 PM
|
|
|
Venice
Posts: 73
Joined: 8.Jul.2005
From: Belgium
Status: offline
|
Maybe you forgot to export the certificates private key ?
|
|
|
|
|
RE: Cannot see certificate in web listener - 17.Aug.2006 6:23:19 PM
|
|
|
C.Houseman
Posts: 29
Joined: 1.May2006
Status: offline
|
There was no exporting involved - just a forwarding of what the webmaster received from the certification authority.
|
|
|
|
|
RE: Cannot see certificate in web listener - 17.Aug.2006 6:35:52 PM
|
|
|
rrhodes
Posts: 15
Joined: 31.Oct.2003
Status: offline
|
More research this morning:
I believe the problem is with the fact that we are getting an SSL cert from a 3rd-party and since the cert was not exported with the private key from another web server, ISA is not seeing it when it is imported onto the ISA server. So the question still remains: How can one get a 3rd-party SSL Cert from a company like verisign installed onto an ISA 2004 server so that when a web listener is created, the cert shows up in the list to attach to the web listener? I believe if we can answer this question, we can probably fix this problem.
Russ
|
|
|
|
|
RE: Cannot see certificate in web listener - 17.Aug.2006 6:51:35 PM
|
|
|
C.Houseman
Posts: 29
Joined: 1.May2006
Status: offline
|
I haven't tried it yet but I'm guessing, install the cert into any old IIS server and then export it as a .pfx.
|
|
|
|
|
RE: Cannot see certificate in web listener - 17.Aug.2006 7:09:29 PM
|
|
|
rrhodes
Posts: 15
Joined: 31.Oct.2003
Status: offline
|
Tried...does not work as you can not choose to export to .pfx. It is greyed out. I am guessing that it has something to do with the private key thing.
Russ
|
|
|
|
|
RE: Cannot see certificate in web listener - 18.Aug.2006 3:01:41 PM
|
|
|
Venice
Posts: 73
Joined: 8.Jul.2005
From: Belgium
Status: offline
|
.pfx is greyed out for me only if I choose 'NOT' to export the private key in the PREVIOUS window.
I found this article helpfull http://support.microsoft.com/?kbid=324167
|
|
|
|
|
RE: Cannot see certificate in web listener - 23.Aug.2006 3:47:44 PM
|
|
|
mdennis
Posts: 5
Joined: 23.Sep.2002
Status: offline
|
Hi Guys
Well I have found the solution to my problem. When adding the Certificates snap-in within the MMC console you must select Computer account rather than My user account. This is also the case when importing the certificate, you must select Computer account to add the certificates snap-in otherwise ISA will not recognise the certificate.
Cheers
|
|
|
|
|
RE: Cannot see certificate in web listener - 23.Aug.2006 4:10:53 PM
|
|
|
rrhodes
Posts: 15
Joined: 31.Oct.2003
Status: offline
|
I also found a solution to my delima. You can not have more than 1 SSL listener on port 443. For example, I had a listener and certificate for my Outlook Web Access and I was trying to add another for a new device that required SSL. Therefore, I learned that I needed to add a wildcard ssl certificate to my ISA SSL port 443 listener. The SSL cert that is on my ISA server is listening for incoming requests with *.mydomain.com, then I put individual SSL certs on the 2 different servers (e.g. vpn.mydomain.com & owa.mydomain.com). Then I created publishing rules so that ISA could identify which server the request can be forwarded to.
If I have not gone into enough detail in this message, please email me or send a private message through my profile.
Russ
|
|
|
|
|
RE: Cannot see certificate in web listener - 1.Sep.2006 7:08:36 PM
|
|
|
barky81
Posts: 15
Joined: 29.Apr.2002
Status: offline
|
Just checking, but could you not instead have added an additional (virtual) IP address to the external interface? The limitation is one 443 port per IP address, not server related...this requires having more than one public IP address available to append to the same interface, however.
|
|
|
|
|
RE: Cannot see certificate in web listener - 1.Sep.2006 7:25:18 PM
|
|
|
rrhodes
Posts: 15
Joined: 31.Oct.2003
Status: offline
|
Yes, that is another way to do it. Good call! For my situation, I already had the IP address on my external interface registered with my ISP's external DNS servers. It would have cost me $$ to get that changed. Instead, I chose the wildcard ssl cert instead.
Thanks for the idea!!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
