How to install 3rd party SSL domain ceritificate on local servers

  • Thread starter Thread starter Library Sysadmin
  • Start date Start date
L

Library Sysadmin

Guest
Windows 2003 R2 servers. Domain name is in a form such as mydomain.local
We have Certificate Authority installed on a server and have been issuing
self-signed certificates for a few services, such as OWA.

Our web site is outsourced to a web hosting company. Registered domain is
in a form such as mycompany.org. They have purchased a 3rd party domain
certificate for use with the site.

I want to install the domain certificate for use with a couple of services,
such as Exchange 2007 services and VPNs. The web hosting company sent me two
files, domain.crt and domain.key.

Being a domain certificate, I guess I thought it would just be a certificate
I could import on the various servers that was valid for any server name or
type of service. I didn't think this would work, but I tried setting up a
test web site and imported this .crt certificate (not sure what to do with
the .key file). The site can't be accessed on the secure port.

I've searched the web for some kind of documentation on how to use these 3rd
party certifcates, but have only managed to confuse myself even more about
what the .crt and .key files are and how to use them.

Is there a method of using the 3rd party domain certificates with the local
ones at the same time? How do you import the 3rd party domain .crt and .key
files with IIS 6, Exchange 2007 or VPNs?

Any help would be appreciated.
TIA

Rick
 
Re: How to install 3rd party SSL domain ceritificate on local servers

You will need to use IIS to generate a certificate request on your server;
then send that request to the CA (like Verisign or Thawte). They will send
you a certificate that you will save back in IIS. For example:
https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1

You might ask the web hosting company what keys they have sent you, but it
sounds like it may be a misunderstanding. The key for the web site will be
different from the key you use for your own server(s),
Anthony,
http://www.airdesk.co.uk



"Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in
message news:1B2BAC81-1DED-43A5-A9D2-CDFF5B77D21A@microsoft.com...
> Windows 2003 R2 servers. Domain name is in a form such as mydomain.local
> We have Certificate Authority installed on a server and have been issuing
> self-signed certificates for a few services, such as OWA.
>
> Our web site is outsourced to a web hosting company. Registered domain is
> in a form such as mycompany.org. They have purchased a 3rd party domain
> certificate for use with the site.
>
> I want to install the domain certificate for use with a couple of
> services,
> such as Exchange 2007 services and VPNs. The web hosting company sent me
> two
> files, domain.crt and domain.key.
>
> Being a domain certificate, I guess I thought it would just be a
> certificate
> I could import on the various servers that was valid for any server name
> or
> type of service. I didn't think this would work, but I tried setting up a
> test web site and imported this .crt certificate (not sure what to do with
> the .key file). The site can't be accessed on the secure port.
>
> I've searched the web for some kind of documentation on how to use these
> 3rd
> party certifcates, but have only managed to confuse myself even more about
> what the .crt and .key files are and how to use them.
>
> Is there a method of using the 3rd party domain certificates with the
> local
> ones at the same time? How do you import the 3rd party domain .crt and
> .key
> files with IIS 6, Exchange 2007 or VPNs?
>
> Any help would be appreciated.
> TIA
>
> Rick
 
Re: How to install 3rd party SSL domain ceritificate on local serv

Re: How to install 3rd party SSL domain ceritificate on local serv

Anthony,

Thanks for the response.
The web hosting company purchased the certificate from Thawte and provided
us with the certificate(s?) that came as .crt and .key files.

However, I cannot load the .crt file anywhere on our servers and get it to
work, nor do I find anything relating to the .key file and what to do with
it. I've tried following Thawte and MS support on this link:
http://www.microsoft.com/technet/pr...4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true

These procedures fail on the first step, as I cannot install the certificate
in response to a request, nor can I assign it and get it to function.

Rick

"Anthony [MVP]" wrote:

> You will need to use IIS to generate a certificate request on your server;
> then send that request to the CA (like Verisign or Thawte). They will send
> you a certificate that you will save back in IIS. For example:
> https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1
>
> You might ask the web hosting company what keys they have sent you, but it
> sounds like it may be a misunderstanding. The key for the web site will be
> different from the key you use for your own server(s),
> Anthony,
> http://www.airdesk.co.uk
>
 
Re: How to install 3rd party SSL domain ceritificate on local serv

Re: How to install 3rd party SSL domain ceritificate on local serv

The basic process for what you want to do is that you need to generate a
certificate request on your server and send it to Thawte. The web hosting
company are not involved except perhaps as a reseller.
Assuming that they are reselling you a Thawte certificate, you should
probably ask them what they have done and what you are supposed to so with
it. It is possible that this is OK. You can import the private key and then
use the .crt file: http://www.digicert.com/wildcard-export-import.htm
But you should ask them what they have done. None of this is necessary if
you generate a request and obtain a certificate from Thawte yourself,
Anthony,
http://www.airdesk.com



"Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in
message news:B43E00E0-1990-47A2-B460-2139C97BFF53@microsoft.com...
> Anthony,
>
> Thanks for the response.
> The web hosting company purchased the certificate from Thawte and provided
> us with the certificate(s?) that came as .crt and .key files.
>
> However, I cannot load the .crt file anywhere on our servers and get it to
> work, nor do I find anything relating to the .key file and what to do with
> it. I've tried following Thawte and MS support on this link:
> http://www.microsoft.com/technet/pr...4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true
>
> These procedures fail on the first step, as I cannot install the
> certificate
> in response to a request, nor can I assign it and get it to function.
>
> Rick
>
> "Anthony [MVP]" wrote:
>
>> You will need to use IIS to generate a certificate request on your
>> server;
>> then send that request to the CA (like Verisign or Thawte). They will
>> send
>> you a certificate that you will save back in IIS. For example:
>> https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1
>>
>> You might ask the web hosting company what keys they have sent you, but
>> it
>> sounds like it may be a misunderstanding. The key for the web site will
>> be
>> different from the key you use for your own server(s),
>> Anthony,
>> http://www.airdesk.co.uk
>>
>
 
Re: How to install 3rd party SSL domain ceritificate on local serv

Re: How to install 3rd party SSL domain ceritificate on local serv

For IIS use, the certificate has to be installed on the virtual directory.
You can use IIS manager to do this. On the virtual directory you want to use
with the certificate, open properties then directory security and click the
server certificate button which will start the wizard. Choose the import
option and point to your certificate.

Once it is imported, view the certificate to see if the trust goes all the
way to the issuer. If it doesn't you will probably have to install the
certificate intermediate files on the server as well. You may also have to
install the certificate in the personal certificates.

Start MMC then add certificates using local account for the server computer
and expand personal. If you see a personal certificates folder, see if the
certificate is installed. If not, import it. If there is no sub folder,
just import it and the subfolder will be created.

Check for intermediate and trusted issuers by expanding those folders. You
may have to grab another set of files from the issuer for intermediate
trusting.

Once that is all done, you should be set for the web stuff. Make sure your
exchange virtual directories are part of the directory that got the
certificate, such as default web site. Realize that it will apply to the
whole directory structure.

For VPN and remote access, you should be able to select the certificate once
it is properly installed on the machine. For example, if you are using ISA,
adding the certificate to the listener is done by clicking on certificate and
seeing it appear in the list.

Hope this helps.
 
Re: How to install 3rd party SSL domain ceritificate on local serv

Re: How to install 3rd party SSL domain ceritificate on local serv

Anthony,

This would be considered the "reseller" situation, I believe, and I do have
an inquiry open to the web hosting company. However, even if I had sent the
request to Thawte myself, wouldn't the .crt and .key files be the same ones
they returend to me (as opposed to being sent to the web hosting company)?

If so, I'm left at my original question. How do I install these?

The procedures I've read in the Technet or MS articles, or have been posted
in repsonses, are the very ones that do not work with these files. The
domain (or wildcard) certificates are not recogized by the IIS process as
being valid in response to a certificate request. When just performing an
"existing certificate assignment", they are loaded but secure connection fail
to these sites, or Exchange or VPNs.

Rick

"Anthony [MVP]" wrote:

> The basic process for what you want to do is that you need to generate a
> certificate request on your server and send it to Thawte. The web hosting
> company are not involved except perhaps as a reseller.
> Assuming that they are reselling you a Thawte certificate, you should
> probably ask them what they have done and what you are supposed to so with
> it. It is possible that this is OK. You can import the private key and then
> use the .crt file: http://www.digicert.com/wildcard-export-import.htm
> But you should ask them what they have done. None of this is necessary if
> you generate a request and obtain a certificate from Thawte yourself,
> Anthony,
> http://www.airdesk.com
>
>
>
> "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in
> message news:B43E00E0-1990-47A2-B460-2139C97BFF53@microsoft.com...
> > Anthony,
> >
> > Thanks for the response.
> > The web hosting company purchased the certificate from Thawte and provided
> > us with the certificate(s?) that came as .crt and .key files.
> >
> > However, I cannot load the .crt file anywhere on our servers and get it to
> > work, nor do I find anything relating to the .key file and what to do with
> > it. I've tried following Thawte and MS support on this link:
> > http://www.microsoft.com/technet/pr...4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true
> >
> > These procedures fail on the first step, as I cannot install the
> > certificate
> > in response to a request, nor can I assign it and get it to function.
> >
> > Rick
> >
> > "Anthony [MVP]" wrote:
> >
> >> You will need to use IIS to generate a certificate request on your
> >> server;
> >> then send that request to the CA (like Verisign or Thawte). They will
> >> send
> >> you a certificate that you will save back in IIS. For example:
> >> https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1
> >>
> >> You might ask the web hosting company what keys they have sent you, but
> >> it
> >> sounds like it may be a misunderstanding. The key for the web site will
> >> be
> >> different from the key you use for your own server(s),
> >> Anthony,
> >> http://www.airdesk.co.uk
> >>
> >
>
>
>
 
Re: How to install 3rd party SSL domain ceritificate on local serv

Re: How to install 3rd party SSL domain ceritificate on local serv

Rick,
If you had generated the request in IIS, you would get back a block of text
from the CA that you save as a single .cer file. Then in IIS you would just
browse to the .cer file to match it up with the request. The .cer has to
match up with the key generated by the request. Even going through a
reseller, you generate a request, give them the .csr, then receive a .cer
(or a block of text to save as a .cer file).
It sounds to me as though the web hosting company have generated an Apache
key pair for you. This process gives you a .key (RSA private key) file and a
..crt (certificate) file. You need to resolve this with the hosting company,
Anthony,
http://www.airdesk.co.uk


"Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in
message news:DAA52B3C-EEDC-43AB-B18E-03C3C87CAE7B@microsoft.com...
> Anthony,
>
> This would be considered the "reseller" situation, I believe, and I do
> have
> an inquiry open to the web hosting company. However, even if I had sent
> the
> request to Thawte myself, wouldn't the .crt and .key files be the same
> ones
> they returend to me (as opposed to being sent to the web hosting company)?
>
> If so, I'm left at my original question. How do I install these?
>
> The procedures I've read in the Technet or MS articles, or have been
> posted
> in repsonses, are the very ones that do not work with these files. The
> domain (or wildcard) certificates are not recogized by the IIS process as
> being valid in response to a certificate request. When just performing an
> "existing certificate assignment", they are loaded but secure connection
> fail
> to these sites, or Exchange or VPNs.
>
> Rick
>
> "Anthony [MVP]" wrote:
>
>> The basic process for what you want to do is that you need to generate a
>> certificate request on your server and send it to Thawte. The web hosting
>> company are not involved except perhaps as a reseller.
>> Assuming that they are reselling you a Thawte certificate, you should
>> probably ask them what they have done and what you are supposed to so
>> with
>> it. It is possible that this is OK. You can import the private key and
>> then
>> use the .crt file: http://www.digicert.com/wildcard-export-import.htm
>> But you should ask them what they have done. None of this is necessary if
>> you generate a request and obtain a certificate from Thawte yourself,
>> Anthony,
>> http://www.airdesk.com
>>
>>
>>
>> "Library Sysadmin" <LibrarySysadmin@discussions.microsoft.com> wrote in
>> message news:B43E00E0-1990-47A2-B460-2139C97BFF53@microsoft.com...
>> > Anthony,
>> >
>> > Thanks for the response.
>> > The web hosting company purchased the certificate from Thawte and
>> > provided
>> > us with the certificate(s?) that came as .crt and .key files.
>> >
>> > However, I cannot load the .crt file anywhere on our servers and get it
>> > to
>> > work, nor do I find anything relating to the .key file and what to do
>> > with
>> > it. I've tried following Thawte and MS support on this link:
>> > http://www.microsoft.com/technet/pr...4c2-3333-4fec-82fc-6e15d3733937.mspx?mfr=true
>> >
>> > These procedures fail on the first step, as I cannot install the
>> > certificate
>> > in response to a request, nor can I assign it and get it to function.
>> >
>> > Rick
>> >
>> > "Anthony [MVP]" wrote:
>> >
>> >> You will need to use IIS to generate a certificate request on your
>> >> server;
>> >> then send that request to the CA (like Verisign or Thawte). They will
>> >> send
>> >> you a certificate that you will save back in IIS. For example:
>> >> https://www.thawte.com/ssl-digital-certificates/technical-support/ssl/iis6.html#faq1
>> >>
>> >> You might ask the web hosting company what keys they have sent you,
>> >> but
>> >> it
>> >> sounds like it may be a misunderstanding. The key for the web site
>> >> will
>> >> be
>> >> different from the key you use for your own server(s),
>> >> Anthony,
>> >> http://www.airdesk.co.uk
>> >>
>> >
>>
>>
>>
 
Re: How to install 3rd party SSL domain ceritificate on local serv

Re: How to install 3rd party SSL domain ceritificate on local serv

Larry,

Thanks for the response.

> For IIS use, the certificate has to be installed on the virtual directory.
> You can use IIS manager to do this. On the virtual directory you want to use
> with the certificate, open properties then directory security and click the
> server certificate button which will start the wizard. Choose the import
> option and point to your certificate.
>

I cannot create a new request and install the domain certificate. I get
this message: The pending certificate request for this response file was not
found. This request may be canceled. You cannot install selected response
certificate using this Wizard.

If I try to use the Assign existing certificate method, after importing it
and setting the site to use this cert, IE will not render the page when using
the secure socket.

> Once it is imported, view the certificate to see if the trust goes all the
> way to the issuer. If it doesn't you will probably have to install the
> certificate intermediate files on the server as well. You may also have to
> install the certificate in the personal certificates.
>
> Start MMC then add certificates using local account for the server computer
> and expand personal. If you see a personal certificates folder, see if the
> certificate is installed. If not, import it. If there is no sub folder,
> just import it and the subfolder will be created.
>

With the certificate imported to the server in both the Personal and Trusted
3rd Party Certificates stores, I open the Certificates MMC. It displays the
issuer as Thawte, so this should be correct.

> Check for intermediate and trusted issuers by expanding those folders. You
> may have to grab another set of files from the issuer for intermediate
> trusting.
>

Still in MMC, the .crt file does import successfully into the Intermediate
CA Certificates store.

> Once that is all done, you should be set for the web stuff. Make sure your
> exchange virtual directories are part of the directory that got the
> certificate, such as default web site. Realize that it will apply to the
> whole directory structure.
>

Set up the web site using the Assign existing certificate method and it does
not render the page in a browser on the secure port. (443)

> For VPN and remote access, you should be able to select the certificate once
> it is properly installed on the machine. For example, if you are using ISA,
> adding the certificate to the listener is done by clicking on certificate and
> seeing it appear in the list.
>
> Hope this helps.
 
Back
Top