Hi All, Question: I have an Exchange 2003 Server, SP2 on Windows 2003 SP2. This is in a lab setting. I have been using an internal Enterprise CA running Windows 2003 to issue a SSL cert for securing OWA. Today I just wanted to try using a SAN certificate. I generated the request using certreq on my Enterprise CA and submitted it using certreq as well. I copied the resulting certificate to my Exchange 2003 server, and imported it into the Personal certificate store. In IIS, I replaced the current SSL cert, with my new cert. Now, when I go to https://exchangeserver/exchange, I get a "Page cannot be displayed errror." I assume it has to be due to the SSL cert. If I remove it and disable SSL or if I replace it with the old certificate, OWA starts working again. Any ideas on what could be the issue? Someone told me SAN/UCC certs are not recommended for Exchange 2003, but I don't see why they would be a problem. Any insight? Thanks!

How is the cert configured? What are the CN and the SANs?Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Cn=exchangeservername SANs list: exchangeservername exchangeservername.domain.com webmail.domain.com I am trying to access OWA internally by going to https://exchangeservername/exchange

Normally, the CN would be the name normally used for access, and that would, I assume, be webmail.domain.com in your case. Even if it were to be the server name, it should be the FQDN. I don't know that is what's causing your problem, however, I would need more information about how you requested and installed the certificate.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Well to be honest, I originally tried using an Exchange 2007 server I have as well to generate the request since I thought it would be easiest. New-ExchangeCertificate -GenerateRequest -Path c:\exserver.csr -KeySize 2048 -SubjectName "c=US, s=Florida, l=Orlando, o=MyOrg, ou=IT, cn=exchangeservername" -DomainName exchangeservername, webmail.domain.com, exchangeservername.domain.com -PrivateKeyExportable $True I then submitted that to my Enterprise CA using: certreq -attrib "CertificateTemplate:Webserver" -submit exserver.csr ex2003san.cer I took the .cer file and imported it into my Exchange 2003 server and then configured IIS to use it. It was imported using the Certificates MMC of the Local Computer into the Personal Store. I got the problem I am having now, in other words "The page cannot be displayed" and decided to remove that cert and try again with a new cert. This time I used the following .inf file to generate the request: [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=exchangeservername" ; must be the FQDN of domain controller EncipherOnly = FALSE Exportable = TRUE ; TRUE = Private key is exportable KeyLength = 2048 ; Common key sizes: 512, 1024, 2048, ; 4096, 8192, 16384 KeySpec = 1 ; Key Exchange KeyUsage = 0xA0 ; Digital Signature, Key Encipherment MachineKeySet = True ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = CMC [RequestAttributes] CertificateTemplate = WebServer ;Omit line if CA is a stand-alone CA SAN="dns=exchangeservername&dns=exchangeservername.domain.com&dns=webmail.domain.com" I requested the cert from my Enterprise CA with certreq -new cert-req.inf ex03.req I finally generated the cert with certreq -submit ex03.req ex03-san.cer Again I imported ex03-san.cer into the Personal Store of the Exchange 2003 computer using the Certificates MMC of the local computer. Went into the Directory Security tab of the default website and selected the newly imported cert to use. Then on the /Exchange and /Public virtual directories, enabled SSL.

It looks like you imported the wrong thing. You have to do a certificate request on the server, get a response. Install the response on the same server. Then if you want to move that certificate to another server, you export the result. However before doing so I would test the original server to begin with. Oh and to be picky, you cannot enable SSL on a per directory basis. You can enable REQUIRE SSL, but that isn't the same thing. SSL is only enabled at the virtual server level, and require SSL can actually cause problems with the operation of Exchange 2003 and shouldn't be set at all, or if it is, set very carefully. Personally I don't set it at all, but I never allow port 80 traffic in through the firewall. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

Sembee is right, when you issue a request you must complete it on the same server so that the private key is added to the certificate. Then, if you specified that the private key is exportable, you can export the certificate and import it on another server.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

It looks like you imported the wrong thing. You have to do a certificate request on the server, get a response. Install the response on the same server. Then if you want to move that certificate to another server, you export the result. However before doing so I would test the original server to begin with. I'm sorry I don't quite understand. Install the response on the same server? I submitted the request to my CA and it issued a certificate. Is that not what I need to import on my Exchange server?

That certificate issued by the CA does not have the private key; completing the certificate request on the server on which you started it adds the private key to the certificate. You can't install a CER file on any machine except the one on which you generated the request. Once you have completed the request, you can then export the certificate via a PFX file to another machine.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Appreciate the help guys. I see looking at the cert you are correct, it does not say a private key is associated with the certificate. I tried to export the cert with the private key as a PFX from the CA, but that option was unavailable. I ended up just going to the Certsrv webpage from my Exchange 2003 computer and requested a Webserver certificate from there. I was able to download that and move it into the Personal store for the Computer. Now when I view the certificate, it shows that I have the private key that corresponds to it. I am still getting Page Cannot Be Displayed in Internet Explorer when I try to pull up OWA using https. (If I use Firefox it says the connection was interrupted). Not sure where to go now. I even tried deleting the OWA virtual directories and recreating them. No luck. Grrr.... Any other advice?

You don't export anything from the CA. Create certificate request on server 1, take certificate to CA, get result. Import result in to server 1, that creates a valid certificate. Test. Then export the certificate FROM SERVER 1, and import it in to server 2. Test again. All of the errors you are seeing are down to the SSL session not being established, and that is down to a corrupt certificate, invalid certificate or incomplete certificate. Although I don't use an internal CA even for lab environments. I have a certificate I bought (cost $80) and simply move it between builds. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources

It's really easy to create a CA in a lab environment, and I recommend you do so to get familar with the certificate generation process because it costs you nothing to generate as many certificates as you want.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

It's really easy to create a CA in a lab environment, and I recommend you do so to get familar with the certificate generation process because it costs you nothing to generate as many certificates as you want. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." I agree. One of the reasons I'm still pursing this LOL. So, I need to ask for more help it seems. I cannot for the life of me seem to get a certificate that would work. I swear I've done this before with my Exchange 2007 lab. I just made a request as a CSR file, copied it over to my Windows 2003 CA, used certreq to generate a CER file and then copied that back to the 2007 box and imported it in the EMS and things worked great. I took a look at the certificate on the 2007 box and it shows that I have the private key for the cert. Yet, I can't seem to get this going for my Exchange 2003 box. So, I just have to come out and ask, how am I suppose to create and submit this request? I have tried: 1) An .INF (that I posted earlier) to create a request using certreq. The request was then submitted to the CA using certreq. The resulting certificate did not seem to get me a corresponding private key. 2) Using Web Enrollment (http://myca/certsrv). I submitted a request using a WebServer template. After going through all the steps, I got the option to download the certificate and install it which I did. This certificate said it had a corresponding private key. This did not fix my OWA issue. 3) I've used IIS to request a certificate and install a certificate which works fine, but obviously using this method I cannot request Subject Alternative Names in the certificate. I hate to be one of those people, but I'm stuck. Thanks for all your help already.

I normally use the web interface instead of certreq, but this article has a good explanation of the steps using certreq. It specifically deals with creating a UCC certificate with SANs, and if you don't need to do that, you can skip that part and just look at the series of certreq commands. http://support.microsoft.com/kb/931351 You can also generate the certificate request and accept it using IIS.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."