+ Post New Thread
Results 1 to 13 of 13
Windows Server 2000/2003 Thread, Generate CSR on ISA 2006? in Technical; Hi all, I'm being stupid because I did this two years ago but I can't remember how! I have a ...
  1. #1
    Duke's Avatar
    Join Date
    May 2009
    Posts
    1,017
    Thank Post
    300
    Thanked 174 Times in 160 Posts
    Rep Power
    57

    Generate CSR on ISA 2006?

    Hi all,

    I'm being stupid because I did this two years ago but I can't remember how!

    I have a Thawte SSL certificate on ISA 2006 that needs to be renewed but I can't figure out how to generate a CSR. I can do CSRs from IIS, but this server isn't running IIS so there doesn't seem to be a way to manage certificates on it from the IIS Manager.

    Can anyone point me in the right direction? Thawte have re-done their website since we last used it and I'm trying to avoid having to set up an account and pay by CC - much easier if I can just get an invoice, but to do so I need to generate a CSR!

    Any ideas?
    Chris

  2. #2

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Hi,

    You need to generate the CSR on the server which is running the website i.e. the server that you have published in ISA. Once this is complete and you have obtain the the response from the CA to complete the certificate. You need to export the certificate with the private key from the webserver and import it into ISA after which you will be able to use in a Listerner for the website you are publishing.

    Make sure you import into ISA's Personal store i.e. Computer\Personal.

    Hope this helps.

    Ash.

  3. Thanks to spc-rocket from:

    Duke (31st January 2011)

  4. #3
    Duke's Avatar
    Join Date
    May 2009
    Posts
    1,017
    Thank Post
    300
    Thanked 174 Times in 160 Posts
    Rep Power
    57
    Quote Originally Posted by spc-rocket View Post
    [Useful things]
    I would have sworn there was an easier way from within ISA but looks like you're right. That single cert provides HTTPS for various webservers through ISA so it gets a bit confusing.

    Many thanks!
    Chris

  5. #4
    Duke's Avatar
    Join Date
    May 2009
    Posts
    1,017
    Thank Post
    300
    Thanked 174 Times in 160 Posts
    Rep Power
    57
    I really must be missing something here - generating the CSR on the webserver generates a request for a certificate for server.domain.local (which is issued by our domain controller and certificate authority) - I need to generate a CSR for www.website.sch.uk - help?

    All the IIS servers use a certificate generated by our internal CA, and ISA gets the certificate from Thawte. How can I get IIS to generate me a CSR for that Thawte certificate?

    Feeling stupid,
    Chris

  6. #5

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,617
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831
    IIS SSL Certificate CSR Creation - Microsoft IIS 7

    When you generate them, you are asked (via the 'Common Name' line) what the domain is.

  7. Thanks to localzuk from:

    Duke (31st January 2011)

  8. #6
    Duke's Avatar
    Join Date
    May 2009
    Posts
    1,017
    Thank Post
    300
    Thanked 174 Times in 160 Posts
    Rep Power
    57
    I think I'd get that if I was generating a new certificate, but as this webserver already has a certificate on it (from our internal CA) my only option that'll let me generate a CSR is to renew the current certificate, which automatically fills out the options for server.domain.local.

    I can change the certificate to the current Thawte one (it's already installed on this server so many that's what was done last time?) then maybe generate a CSR that way?

    Chris

  9. #7

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,617
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831
    You should just be able to generate new CSRs, as a server can have many different domains on them. Are you generating the CSR at the server level like in that article?

  10. #8
    Duke's Avatar
    Join Date
    May 2009
    Posts
    1,017
    Thank Post
    300
    Thanked 174 Times in 160 Posts
    Rep Power
    57
    Quote Originally Posted by localzuk View Post
    You should just be able to generate new CSRs, as a server can have many different domains on them. Are you generating the CSR at the server level like in that article?
    I'm on Server 2003 / IIS6 so it's a bit different. The only way I know of generating a CSR on there is via a specific website within IIS > Properties > Directory Security > Server Certificate.

  11. #9

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,617
    Thank Post
    514
    Thanked 2,442 Times in 1,890 Posts
    Blog Entries
    24
    Rep Power
    831
    Ah, ok. Why do you have the wrong domain set for your site then? ie. you've got doman.local instead of the FQDN that you want?

    Surely you want to just set the domain properly, then generate your CSR?

    Or is the single website used for multiple things? If so, I'd advise creating different websites for those things - each one with its own domain details.

  12. Thanks to localzuk from:

    Duke (31st January 2011)

  13. #10

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Hi Duke,

    You can create a dummy site in IIS and then use the certificate wizard on that and use that to generate the CSR. After the certificate process is complete you can just export the cert with private key and delete the dummy website from iis.

    Ash.

    Ash.

  14. Thanks to spc-rocket from:

    Duke (31st January 2011)

  15. #11
    Duke's Avatar
    Join Date
    May 2009
    Posts
    1,017
    Thank Post
    300
    Thanked 174 Times in 160 Posts
    Rep Power
    57
    Quote Originally Posted by localzuk View Post
    Ah, ok. Why do you have the wrong domain set for your site then? ie. you've got doman.local instead of the FQDN that you want? Surely you want to just set the domain properly, then generate your CSR? Or is the single website used for multiple things? If so, I'd advise creating different websites for those things - each one with its own domain details.
    The Thawte certificate is used on ISA which handles all incoming traffic and is the server you end up on if you go to www.ourwebsite.sch.uk - ISA then redirects traffic based on the URL (e.g. www.ourwebsite.sch.uk/overhere) to whichever webserver is appropriate (we use several different webservers for different things). The webservers themselves aren't public-facing (everything goes through ISA) so if they need to communicate over HTTPS they use a certificate provided by our internal CA. Hope that makes sense, it certainly works okay!

    You can create a dummy site in IIS and then use the certificate wizard on that and use that to generate the CSR. After the certificate process is complete you can just export the cert with private key and delete the dummy website from iis.
    Yep, that'd work I think, I just can't believe there isn't an easier method. The fact that the Thawte certificate is installed on this webserver (although not being used by IIS) suggests at some point this IIS server has been used to generate the CSR and the new cert has then been exported to ISA.

  16. #12

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Hi,

    Yes you need to do this because without IIS you can't create a certificate for a website. The way you do it at the moment with the actual server having a cert from the internal CA and then isa having the public facing involves looking after two certicates along with its renewal, expiry etc but if you are managign this well then you can continue to use this method.

    The otherway to do it would be to use a certificate enrolment site but this will only allow you to generate the CSR against a internal CA.

    You can get wildcard certificates that is bound to a domain i.e. *.ourwebsite.sch.uk which you can use on the isa server to create a listener for multiple website. This may make it easier to manage just one external facing cert rather than having one for each website.

    Ash.

  17. Thanks to spc-rocket from:

    Duke (1st February 2011)

  18. #13
    Duke's Avatar
    Join Date
    May 2009
    Posts
    1,017
    Thank Post
    300
    Thanked 174 Times in 160 Posts
    Rep Power
    57
    All sorted, thanks for the help - it's much appreciated!

    To anyone in the same, strange position as me, here's how it works: (note, 'installing' the certificate refers to using the MMC snap-in)

    1) Export your external CA (e.g. Thawte, Verisign) certificate from the ISA server and copy the certificate file to your IIS server
    2) Install this certificate on the IIS server
    (these two steps were already done for me, because that's how the certificate got to ISA in the first place)
    3) Change the SSL settings for your website in IIS to use the external CA certificate
    (If your IIS website is configured to use SSL via an internal CA certificate, SSL traffic to it WILL STOP WORKING at this point)
    4) Use IIS to generate a CSR for the external CA certificate
    5) Go through the process of renewing the certificate with your external CA - at some point you will be prompted for the CSR key generated in the previous step
    6) When you have the new certificate from the external CA, copy it to the IIS server and install it
    7) Using IIS, complete the CSR by providing it with the new certificate from the external CA - at this point SSL traffic to this IIS server will still not work
    8) Export the new certificate to a file using IIS and copy it to the ISA server
    9) Install the certificate on the ISA server
    10) Using the web listener configuration within ISA, select the new certificate as the one to use and apply changes
    11) Check access that uses the ISA certificate is now correctly using the new external certificate
    12) On the IIS server, use IIS to revert back to the old internal CA certificate - SSL traffic to this IIS server SHOULD NOW WORK AGAIN

    Can't hurt to reboot servers / restart services at this point to check it's all okay. Also, follow the extra instructions from your CA when installing the new certificate.

    Now in two years' time I'll find this post again when I can't remember how to do it.

    EDIT: I should have clarified - a better way would have been to have a spare IIS server that can afford to be broken while the certificate is being renewed like spc-rocket suggested, rather than using your actual webserver. I got Thawte to process the request in less than an hour and did it out-of-hours (only one service was affected anyway) so I got away with it.

    Useful link: http://www.isaserver.org/articles/exportsslcert.html

    Chris
    Last edited by Duke; 1st February 2011 at 05:55 PM.

SHARE:
+ Post New Thread

Similar Threads

  1. ISA 2006
    By nicholab in forum Internet Related/Filtering/Firewall
    Replies: 1
    Last Post: 19th June 2009, 07:13 AM
  2. ISA 2006
    By mattstevenson2005 in forum Internet Related/Filtering/Firewall
    Replies: 3
    Last Post: 14th May 2009, 02:36 PM
  3. ISA 2006
    By AdamR78 in forum Internet Related/Filtering/Firewall
    Replies: 1
    Last Post: 23rd February 2009, 09:53 AM
  4. ISA 2006 Help
    By skunk in forum Windows
    Replies: 3
    Last Post: 18th October 2007, 11:36 AM
  5. ISA 2006
    By UBBERgoose in forum Windows
    Replies: 3
    Last Post: 23rd August 2007, 09:26 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •