I have an issue configuring the web listener with a SSL certificate bought from GODADDY.com
Scenario: A ISA 2006 machine as a reverse proxy SSL bridging to an exchange 2003 server on LAN Bought a ssl certificate server from godaddy.com (is a .crt file) Install the certificato on IIS 6 with no problem and test it. Try to install the same certificate on the ISA web listener but the certificate is invalid (missed private key) Contact Godaddy to ask their help and tell me to "re-key" the certificate. Followed the instruction provide by the support, but I have the same issue.
The question is: The .crt should contain the private key, but, from my basic knowledge, the ISA server is "not able to use it". Is it a problem of the certificate file type? Normally, to make this configuration I use to export the pxf file from the Exchange server IIS site using the export wizard that permit to export the private key to a .pxf file. Could be a solution to convert a .crt to a .pxf file. How can I do it?
All certificates have two parts: a public key and a private key. Typically a .cer file only contains the public key. You MUST have BOTH the public key and the private key on the ISA server (or any web server for that matter) to enable HTTPS. If you have a server that currently has the certificate installed with both the public and private key, you can export that to a .pfx file (remember to check the box to export the private key) and then import that into ISA. When you import into ISA, make sure you import it into the Personal folder of the COMPUTER account, not your user account.
Thanks for your answer. I've imported the certificate to the machine where I created the certificate request. But when I try to export the certfificate, the export private key option is greayed out. Maybe this has to do with the fact that I created the request using powershell for Exchange 2007. I've googled and searched everywhere for days now how to extract the key from Exchange with no success. Any ideas?
I have not solved the issue yet and I suppose I will open another ticket with Godaddy.
Dear Andrew, That's what I exactly did, but as zulan told, it is not possible to export the private key. Godaddy told me the .crt file contain the private key too. Infact it is possible to bing it to IIS web site where OWA is published. Probably the private key is marked as non exportable, so I am not able to generate the .pfx file that I normally imported to ISA server. A possible solution is to reserve that IP address for OWA only and make a non web publishing protocol rule on the ISA Server machine that NAT the https request to the Exchange http virtual server. Of course I do not prefer this solution, but I would like to use ISA Server as reverse proxy.
If somebody succeeds in configuring this senario, please post the solution. Thank you.
I solved it, the guides and info I found about creating the cert on exchange doesnt mention that there is a switch you need when you create the request in order to export it. I just added -privatekeyExportable:$true at the end and now everything is working fine.
Hi, can you please explain in details the steps you took to get the godaddy.com certificate to work? I'm stuck with a dead .cer file here that ISA can't use and the godaddy.com support folks don't seem to understand the issue here.
Hello FrancisO, first of all, I havent used godaddy so I cant say if it's a specific problem with godaddy.com. Second, it took me 3 full working days to get this ISA 2006 - Exchange 2007 certificate problem solved. Since it was alot of trial and error its very hard to say exactly how I did and as im sure you understand, im not really happy about redoing it.
But if you can describe your exact problem, I might have experianced it and I would happily share my experiance. If the problem is that you can't export the certs private key since its grayed out, then Ive already said the solution to that, but I'll do it more in detail.
When you generate the certificate request in exchange management shell you need to add the switch privatekeyexportable or it wont be able to export the key later on. That was my problem and the reason why I couldnt export the private keys.
Heres the exact line I used to create a working certificate request:
I'm only having issues with the cert part of ISA. I was using my own certificate and wanted to get the read deal so I could use my windows mobile phone and activesync (my device didn't like the certificate). So I went and purchased a godaddy certificate tried both a request using IIS and Exchange 2K7 mgmt shell (your command) but still no luck. The certificate I get from GoDaddy doesn't seem to have the ability to export the private keys. I've e-mailed support.
i opened a MS Call about this problem. I have created the request on the TMG and used an onther certificate for the internal traffic (from the internal trusted CA).
The answer from MS was, thet TMG (and so also ISA) doesn't support CNG (certificate new generation) certificates. That means (so i understand it), that certificates from V3 templates (used by ms server 2008) can't be selected or imported, also when the privat key exist. but... it seems, that all well known public CA use this template.
Although it was very difficult I got my (Godaddy) Certificate working on my ISA web listener. This is how i did it.
I created a certificate Request file with Exchange Shell with the following command
New-ExchangeCertificate -GenerateRequest -SubjectName "DC=mydomain, DC=com, O=mydomain, CN=webmail.mydomain.com" -DomainName webmail.mydomain.com, smtp.mydomain.com, mydomain.com,Exchange.mydomain.com ,Exchange -FriendlyName "Microsoft Exchange 2007" -Path c:\webmail.mydomain.com.req –PrivateKeyExportable $True As mentioned in the posts above the –PrivateKeyExportable is very Important
Then I used the text in de .req file to request my certificate with Goddaddy. Then you get a CRT file from Godaddy. Save this on the Exchange server and Import it. You will use this Certificate on the ISA server but it is very important you import the CRT file certificate on the Exchange server in order to export the keys. You import the certificate with the following command in Exchange shell
Import-ExchangeCertificate –path c:\webmail.mydomain.com.crt Now you can export the certificate to an pfx file with private key from the exchange server using the MMC, the option will now be available during the export process You save the pfx file on the isa server and you import it using the MMC on the ISA server. You will now be able to select the certificate in ISA 2006 web listener
Hope this still helps anyone facing the same problem.
1) On a different server, import your GoDaddy certificate into LocalComputer\Personal 2) Export the newly imported certificate. Choose to export the private key. Select options "Include all certificates in the certification path if possible" and "Export all extended properties". Set a password. 3) On your ISA/TMG box, import the certificate you just exported. This will import your private key.
That should fix your problem. It solved mine after many frustrating tries...