+ Post New Thread
Results 1 to 4 of 4
Internet Related/Filtering/Firewall Thread, Wildcard SSL Certificate in Technical; ...
  1. #1
    edie209's Avatar
    Join Date
    Mar 2006
    Location
    Kernow
    Posts
    705
    Thank Post
    42
    Thanked 19 Times in 18 Posts
    Rep Power
    22

    Wildcard SSL Certificate

    We have bought a wildcard SSL certificate from Go Daddy.

    We need to use SSL certificates on 3 servers 1 Exchange 2007 and two IIS 7 web Servers and at a later date Office 365. I created the CSR on the Exchange server

    Code:
    New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=GB, l=town, s=County, o=Organisation,cn=school.sch.uk" -domainname SubjectAltern
    1, SubjectAltName2, SubjectAltName3, SubjectAltName4 -PrivateKeyExportable $true -path c:\certrequest.txt
    This has worked great on the Exchange server but when I come to the first IIS7 webserver

    I select "Complete Certificate Request" and I get this error
    iis ssl error.JPG

    I spoke to Go Daddy and was told I need to by another Cert for each server, well that's not really going to happen and I am sure this can be done looking on the web.

    I found this solution for that error http://blogs.msdn.com/b/webtopics/ar...-in-iis-7.aspx

    Code:
    Begin by importing the .crt file into the Personal certificate store for the local computer. (Start button > Run:  MMC > File Menu > Add/Remove Snap-in > highlight Certificates snap-in and click the ADD button > select Computer Account and click Finish >  Click OK > drill into Personal > Certificates >  right-click and select All Tasks > select Import > guide to the .crt file.)  At this point your certificate is basically a half-certificate.  It is still missing its private key.
     
    Second, double-click the crt certificate file you just imported, select the Details tab, scroll all the way down to Thumbprint and highlight Thumbprint.  In the lower pane, block and copy all the letters of the thumbprint.  Paste the thumbprint characters into notepad.  Open the command prompt and run this command: Certutil /?
    The command you’ll want to run is:
     
    certutil -repairstore my "{insert all of the thumbprint characters here}"
     
    When you see the response: “CertUtil: -repairstore command completed successfully” you should have a private key associated with the .crt file in the personal store. There should no longer be any need to run through the “Complete Certificate Request…” wizard.  The certificate should show up in the IIS Manager’s list of server certificates at this point.  It should also be available in the SSL Certificates drop-down list when attempting to edit the https binding for a website.
    However I get "Access Denied" even with elevated privileges.

    Code:
    C:\Windows\system32>certutil -repairstore my "7c 46 56 c3 06 1f 7f 4c 0d 67 b3 19 a8 55 f6 0e bc 11 fc 44"
    my
    ================ Certificate 0 ================
    Serial Number: 0301
    Issuer: OU=Go Daddy Class 2 Certification Authority, O=The Go Daddy Group, Inc.,
     C=US
    NotBefore: 16/11/2006 01:54
    NotAfter: 16/11/2026 01:54
    Subject: SERIALNUMBER=00000000, CN=Go Daddy Secure Certification Authority, OU=h
    ttp://certificates.godaddy.com/repository, O=GoDaddy.com, Inc., L=Scottsdale, S=
    Arizona, C=US
    Non-root Certificate
    Cert Hash(sha1): aa aa aa aa aa aa aa aa aa aa aa aa a8 55 f6 0e bc 11 fc 44
    No key provider information
    Cannot find the certificate and private key for decryption.
    CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
    CertUtil: Access denied.
    To which I found this soulution Add a certification authority backup operator: Public Key

    Code:
    To add a certification authority backup operator
    
    
    
    • Open Local Security Settings.
    • In the console tree, click User Rights Assignment. Where?
      • Security Settings/Local Policies/User Rights Assignments
    • In the details pane, double-click Back up file and directories.
    • Click Add User or Group and, in Enter the object names to select, type the name of the user or group to add as a backup operator, and then click OK.
    • In the details pane, double-click Restore file and directories.
    • Click Add User or Group and, in Enter the object names to select (examples), type the name of the user or group to add as a backup operator, and then click OK.
    But now I am stuck and not sure what the next step is has anyone had a situation like this and how did you overcome it. As I said Go Daddy have been no help on this, do I need to rekey and start again is it possible just a bad cert?

  2. #2

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    78
    So you're just importing the wild cert straight into IIS?

    Anything on the app log?

  3. #3

    Join Date
    Jun 2011
    Posts
    18
    Thank Post
    4
    Thanked 2 Times in 2 Posts
    Rep Power
    8
    You can't import the certificate easierly onto another machine with the reply from godaddy. Just export the completed certificate request from your exchange server including the private key into a pfx file then import that into iis onto your other server.hope it helps d

  4. Thanks to diagdave from:

    edie209 (8th November 2013)

  5. #4
    edie209's Avatar
    Join Date
    Mar 2006
    Location
    Kernow
    Posts
    705
    Thank Post
    42
    Thanked 19 Times in 18 Posts
    Rep Power
    22
    Well what a day can do, @diagdave I have tried to export the cert yesterday from the exchange server many times yesterday with no option for pfx it was all greyed out. Came in this morning and read your post and thought what the hell lets try it this way again, and would you believe it it worked first time????? I went into IIS7 and imported it fine.

    Thanks for the replies



SHARE:
+ Post New Thread

Similar Threads

  1. Free SSL Certificates for JANET connected schools
    By Dos_Box in forum Wireless Networks
    Replies: 25
    Last Post: 29th April 2013, 04:26 PM
  2. Exchange Autodiscover and wildcard SSL Certificates
    By mrbios in forum Enterprise Software
    Replies: 1
    Last Post: 6th October 2011, 03:02 PM
  3. Creating SSL certificates.
    By Dos_Box in forum Windows
    Replies: 28
    Last Post: 11th November 2007, 10:22 PM
  4. Purchasing SSL Certificates
    By Dos_Box in forum Wireless Networks
    Replies: 3
    Last Post: 3rd January 2007, 04:33 PM
  5. Affordable SSL certificate
    By meastaugh1 in forum Recommended Suppliers
    Replies: 6
    Last Post: 17th December 2006, 05:27 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •