Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
SSL Certificate/ISA import problem
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
SSL Certificate/ISA import problem - 12.Apr.2005 9:35:00 PM
|
|
|
dd71
Posts: 51
Joined: 24.Mar.2005
Status: offline
|
(listed again with more notes)
When I try to add a Microsoft CA certificate to the mail listener rule I get a message that states "There are no certificates configured on this server". I imported both the CA certifcate and the fqdn certificate created on my Exchange FE over to the personal certificates folder on the ISA server. I made sure the certificate is in the machine store and not in an user or a certificate store. I've also double checked that when I exported the certificate that I marked "export the private key". I then copied the CA certificate from the personal folder to the trusted root certificate folder on the ISA server. There are no errors showing on the certificate. Does anyone know why the ISA listener rule cannot see the trusted root certificate?
|
|
|
|
RE: SSL Certificate/ISA import problem - 13.Apr.2005 7:23:00 AM
|
|
|
erickmiller
Posts: 37
Joined: 2.Mar.2002
From: Lake Zurich, IL
Status: offline
|
I remember running into this problem while trying to publish OWA 2003 with forms-based authentication.
I saw a posting by Tom that reminded me of something... I remember seeing somewhere that the location of the certificate on the ISA box doesn't go into the Personal certificates folder.
This is Tom's posting, which I think gives you the right place to put it:
"Just make sure you install the CA certificate on the ISA 2004 firewall in the firewall's Machine certificate store in the Trusted Root Certification Authorities node."
It should then show up in the ISA MMC, only after restarting the MMC.
Hope this helps!
Eric
|
|
|
|
|
RE: SSL Certificate/ISA import problem - 13.Apr.2005 11:39:00 AM
|
|
|
RuiFiske
Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline
|
Hi There,
The certificate needs to be in the Personal Directory for the Local Machine set of certificates.
If it is already there, which you seem to suggest it is, then double click it to make sure that you have a private key matching the certificate. On the first page of the certificate, there should be a message indicating that "You have a private key matching this certificate".
If you also have this, then you sometimes need to Export the certificate to a .pfx file, remembering to include the private key, and make it exportable, just so you can move the certificate again if you need to. Then delete the existing certificate and re-import the one you've just exported. It sounds crazy, but it does work. There is even a KB article on it:
ISA Server 2000 cannot access an imported SSL certificate
It says ISA 2000, but it applies equally to 2004.
Don't forget to rate me if this was useful!
|
|
|
|
|
RE: SSL Certificate/ISA import problem - 13.Apr.2005 12:35:00 PM
|
|
|
RuiFiske
Posts: 92
Joined: 8.Dec.2004
From: London
Status: offline
|
Sorry, my last post was done in a bit of a hurry. The instructions are valid if you are just trying to pick up your own certificate. As I say, it sounds most likely that you need to export and re-import. That should work.
Reading it again, however, there are some other issues to point out:
1. The CA certificate should, as Eric says, be in the local machine Trusted Root store. This is necessary if the ISA server will be trusting other certificates issued by the same CA, but is good practice anyway.
2. Are users outside your domain, beyond the trust of your CA going to be accessing the published web site? If so, then you need to rethink your certificate strategy, as they will get a warning saying that they do not trust the certificate.
Good Luck, and don't forget to leave an update of what happened.
|
|
|
|
|
RE: SSL Certificate/ISA import problem - 21.Apr.2005 3:55:00 PM
|
|
|
dd71
Posts: 51
Joined: 24.Mar.2005
Status: offline
|
After much heart ache I found out that the problems I was experiencing on these issues were due to the fact that either the ISA Services either didn't get loaded during the original install or got hosed up during an upgrade from ISA Standard to ISA Enterprise. Therefore the management console was excepting the rules however there were no services to support them. Unfortunately the initial installation occured prior to myself inheriting the project. Thanks for all those that replied to my questions.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
