Welcome to ISAserver.org

Web listener with GODADDY certificate

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Publishing] >> Web Publishing >> Web listener with GODADDY certificate

Page: [1]

Message

<< Older Topic Newer Topic >>

Web listener with GODADDY certificate - 17.Apr.2008 5:56:28 AM

egiacomin

Posts: 4
Joined: 4.Mar.2007
Status: offline

I have an issue configuring the web listener with a SSL certificate bought from GODADDY.com

Scenario:
A ISA 2006 machine as a reverse proxy SSL bridging to an exchange 2003 server on LAN
Bought a ssl certificate server from godaddy.com (is a .crt file)
Install the certificato on IIS 6 with no problem and test it.
Try to install the same certificate on the ISA web listener but the certificate is invalid (missed private key)
Contact Godaddy to ask their help and tell me to "re-key" the certificate.
Followed the instruction provide by the support, but I have the same issue.

The question is:
The .crt should contain the private key, but, from my basic knowledge, the ISA server is "not able to use it". Is it a problem of the certificate file type?
Normally, to make this configuration I use to export the pxf file from the Exchange server IIS site using the export wizard that permit to export the private key to a .pxf file. Could be a solution to convert a .crt to a .pxf file. How can I do it?

Thank you veru much for any suggestions,

regards,

Enrico
Italy.

Post #: 1

Featured Links*

RE: Web listener with GODADDY certificate - 21.Apr.2008 11:58:45 AM

Zulan

Posts: 39
Joined: 28.Nov.2006
Status: offline

Did you solve this problem? I have the exact same issue using StartCOM certificates.

(in reply to egiacomin)

Post #: 2

RE: Web listener with GODADDY certificate - 22.Apr.2008 7:59:16 PM

andrew.garvin

Posts: 3
Joined: 3.Apr.2008
Status: offline

All certificates have two parts: a public key and a private key. Typically a .cer file only contains the public key. You MUST have BOTH the public key and the private key on the ISA server (or any web server for that matter) to enable HTTPS. If you have a server that currently has the certificate installed with both the public and private key, you can export that to a .pfx file (remember to check the box to export the private key) and then import that into ISA. When you import into ISA, make sure you import it into the Personal folder of the COMPUTER account, not your user account.

References:
http://www.isaserver.org/articles/exportsslcert.html
http://www.microsoft.com/technet/isa/2004/plan/tscerts.mspx
https://www.securetrust.com/support/sslcertificates/install/isa

(in reply to egiacomin)

Post #: 3

RE: Web listener with GODADDY certificate - 23.Apr.2008 4:24:58 AM

Zulan

Posts: 39
Joined: 28.Nov.2006
Status: offline

Thanks for your answer. I've imported the certificate to the machine where I created the certificate request. But when I try to export the certfificate, the export private key option is greayed out. Maybe this has to do with the fact that I created the request using powershell for Exchange 2007. I've googled and searched everywhere for days now how to extract the key from Exchange with no success. Any ideas?

(in reply to andrew.garvin)

Post #: 4

RE: Web listener with GODADDY certificate - 25.Apr.2008 3:31:20 AM

egiacomin

Posts: 4
Joined: 4.Mar.2007
Status: offline

Dear Zulan.

I have not solved the issue yet and I suppose I will open another ticket with Godaddy.

Dear Andrew, That's what I exactly did, but as zulan told, it is not possible to export the private key. Godaddy told me the .crt file contain the private key too. Infact it is possible to bing it to IIS web site where OWA is published. Probably the private key is marked as non exportable, so I am not able to generate the .pfx file that I normally imported to ISA server. A possible solution is to reserve that IP address for OWA only and make a non web publishing protocol rule on the ISA Server machine that NAT the https request to the Exchange http virtual server.
Of course I do not prefer this solution, but I would like to use ISA Server as reverse proxy.

If somebody succeeds in configuring this senario, please post the solution. Thank you.

Enrico

(in reply to Zulan)

Post #: 5

RE: Web listener with GODADDY certificate - 25.Apr.2008 8:30:13 AM

Zulan

Posts: 39
Joined: 28.Nov.2006
Status: offline

I solved it, the guides and info I found about creating the cert on exchange doesnt mention that there is a switch you need when you create the request in order to export it. I just added -privatekeyExportable:$true at the end and now everything is working fine.

(in reply to egiacomin)

Post #: 6

RE: Web listener with GODADDY certificate - 19.May2008 3:21:27 PM

FrancisO

Posts: 4
Joined: 25.Apr.2008
Status: offline

Hi, can you please explain in details the steps you took to get the godaddy.com certificate to work? I'm stuck with a dead .cer file here that ISA can't use and the godaddy.com support folks don't seem to understand the issue here.

Thanks in advance,
Francis

(in reply to Zulan)

Post #: 7

RE: Web listener with GODADDY certificate - 19.May2008 3:37:22 PM

Zulan

Posts: 39
Joined: 28.Nov.2006
Status: offline

Hello FrancisO, first of all, I havent used godaddy so I cant say if it's a specific problem with godaddy.com. Second, it took me 3 full working days to get this ISA 2006 - Exchange 2007 certificate problem solved. Since it was alot of trial and error its very hard to say exactly how I did and as im sure you understand, im not really happy about redoing it.

But if you can describe your exact problem, I might have experianced it and I would happily share my experiance. If the problem is that you can't export the certs private key since its grayed out, then Ive already said the solution to that, but I'll do it more in detail.

When you generate the certificate request in exchange management shell you need to add the switch privatekeyexportable or it wont be able to export the key later on. That was my problem and the reason why I couldnt export the private keys.

Heres the exact line I used to create a working certificate request:

New-ExchangeCertificate -GenerateRequest -Path c:\owa_zulan_se.csr -KeySize 1024 -SubjectName "c=SE, s=, l=Malm�, o=Zulan.se, cn=owa.zulan.se" -DomainName owa.zulan.se, autodiscover.zulan.se, smtp.zulan.se, zulan.local, exchange.zulan.local, exchange -PrivateKeyExportable $True

I got my free cert from cacert.org

(in reply to FrancisO)

Post #: 8

RE: Web listener with GODADDY certificate - 19.May2008 4:48:50 PM

FrancisO

Posts: 4
Joined: 25.Apr.2008
Status: offline

I'm only having issues with the cert part of ISA. I was using my own certificate and wanted to get the read deal so I could use my windows mobile phone and activesync (my device didn't like the certificate). So I went and purchased a godaddy certificate tried both a request using IIS and Exchange 2K7 mgmt shell (your command) but still no luck. The certificate I get from GoDaddy doesn't seem to have the ability to export the private keys. I've e-mailed support.

Will let you know!

Francis

(in reply to Zulan)

Post #: 9

RE: Web listener with GODADDY certificate - 21.May2008 7:35:41 AM

FrancisO

Posts: 4
Joined: 25.Apr.2008
Status: offline

Well it seems that the GoDaddy support folks handling certificate issues are clueless. I've bought 2 certificates so far from them and still no way to export the private key.

Anyone has an alternative? A decent cert provider that won't set me back 500$?

Thanks,
Francis

(in reply to FrancisO)

Post #: 10

RE: Web listener with GODADDY certificate - 21.May2008 8:48:00 AM