New SSL Cert - OWA + Internal resources on Server stopped working

[mwbutler]

We requested SWGFL to get us a Multi-Domain SSL Certificate from TERENA enabling us to be able to move to Live@Edu. So, I generated a Cert request from our Server (I backed up and removed the old Cert 1st), then unfortunately OWA and other internal services on the Server stopped working (Internet Explorer cannot display the webpage). As several important services had stopped working I emailed in the request for a new Cert then cancelled the request on the Server. I then re-imported the old Cert which got everything back working again.

Fast forward to today and I received the Cert via Email and went to install it. Again I removed the old Cert, placed the new Cert in the Trusted Root CA and Personal Cert store then assigned the new Cert to the desired Default Website in IIS 6. I checked OWA and I get the Internet Explorer cannot display the webpage error message. Same for all other services.

Both Certs have been issued to "mail.<schoolname>.sch.uk" but only the old one works correctly. What have I done wrong?

We are using Server 2003 and IIS 6.

Thanks

Matt

[Hawkeyez]

I had this when creating a wildcard SSL. If you cancel the request to enable OWA to work (we had the same issue) it wont work when you import the cert.
As we were doing a wildcard SSL, I just started a new request on a server that didnt have a need for SSL, so I could leave the request pending.

Then it was just a case of exporting it out that server, and installing on all the others.

[mwbutler]

I'm going to give that a try, thanks!

[PiqueABoo]

My usual trick which is documented by MS somewhere(!) is to add a new temporary IIS web-site alongside the Default one, do the cert request from and import the cert to the temporary site when it arrives. Then go to the Default site and quickly swap the certs over (replace old and select the new cert from list). Guess you might need wildcards in some scenarios but with Exchange 2003 I've always managed to arrange things so it's all happy with standard single-name IIS cert.

In practice I also need to add an intermediate cert from the CA to the local comp store and restart IIS - not all, but you need to do that for a few CAs.

[mwbutler]

Problem solved! I used Hawkeyez method as it was simpler but I have also saved your notes PiqueABoo just in case the other one is inpractical.


Here are my notes just in case anyone else runs into the same problem:

- Request a new Certificate on a Server that isn't using a SSL Certificate otherwise
you will break any Servicew that is using SSL (OWA and Resource Booking).
- Prepare the request, but send it later.
- Import certificate_name.cer once you have received it via email.
- The Move / Copy Certificate to remote Server option gave me an access denied error.
- Instead Export the Certificate in to a PFX file - <server>_new_cert.pfx.
- Copy this to <destination_server> C:\ drive.
- On <destination_server> "Remove the current Certificate" Certificate in IIS.
- Import a Certificate from a PFX file and select <server>_new_cert.pfx.
- Browse to OWA and see if the new Certificate is now in use.

There's a load of suggestions on Google on how to fix the access denied error, but I found an alternate solution in step 5 which worked so I have ignored that error for now.

Thanks all

[PiqueABoo]

Whatever works. For thread posterity I've just found the (retired) KB for what I described: How To Renew or Create New Certificate Signing Request While Another Certificate Is Currently Installed