TLS Certificate Issue
Hi All,
I am using Windows Server 2008 R2 Ent.
I am configuring IIS as SMTP Virtual Server to forward mails to Google Apps.
I need TLS Certificate for Secure connection. How and from where should I obtain it for this server? Or How should I generate it on Server?
In Access tab I can see Under Secure Connection Tab: TLS is not available without a certificate.
and Require TLS Encryption is disabled.
And in Event Viewer I can see log as "No usable TLS server certificate for SMTP virtual server instance '2' could be found. TLS will be disabled for this virtual-server"
Please help me to solve this, As I don't know anything regarding obtaining or creating TLS Certificate.
Thanks & Regards,
Ishan
December 15th, 2011 6:01am
Hi,
From the problem description, I understand that TLS is not available without a certificate in the Secure Connection Tab under the Access Tab. Just
like the figure as followed:
If you would like to generate the certificate on your Windows Server 2008 R2, you need to install the Active Directory Certificate Services via
adding the roles.
For the detailed information about the ADCS, there is a link for your reference:
Title: Active Directory Certificate Services Step-by-Step Guide
URL:
http://technet.microsoft.com/en-us/library/cc772393(WS.10).aspx
After installing the ADCS, you will find the Secure Communication could be set now:
Note: During the setup processing of the ADCS, please
pay attention to some detailed instructions.
I hope the information provided above is helpful to you.
Regards,
JamesJames Xiong
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2011 4:05am
Hi James,
I read Active Directory Certificate Services Step-by-Step Guide.
I am also trying to do these steps. These steps require Domain Controller to be set.
We don't have Domain Controller currently. Is it possible to do without domain controller.
Thanks & Regards,
Ishan
December 20th, 2011 6:06am
Hi,
From your last reply, I noticed that there is no available Domain Controller in your organization.
Based on my research, I noticed that there is another useful article about installing a server certificate for TLS Encryption for your reference:
Title: Installing a server certificate for TLS Encryption
URL:
http://winintro.ru/mail.en/html/7d31d716-2f99-4b23-a18c-0eaa08a28dde.htm
Note: The CA is required before installing a server certificate.
Since you don’t have available Domain Controller, I think a third party online CA will be under your consideration list.
At the same time, there are some methods about securing the SMTP virtual server, you could refer to link below:
Title: Securing SMTP Virtual Servers
URL:
http://technet.microsoft.com/en-us/library/cc737604(WS.10).aspx
Note: The link above is applied to the Windows server 2003. But
some configurations are also available towards the Windows server 2008 scenario.
I hope the information provided above is helpful to you.
Regards,
JamesJames Xiong
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
December 22nd, 2011 3:45am
Hi,
Any Update?
JamesJames Xiong
TechNet Community Support
December 25th, 2011 7:59pm
Hey James,
I followed following steps:
Procedure 1: To request and install a server certificate to provide TLS encryption for all SMTP virtual server communication when you have an online CA
Click Start, click Run, type MMC in the Open text field and press Enter. A default Microsoft Management Console (MMC) opens.
-->Done
Click the File menu, and then click Add/Remove Snap-in.-->Done
Select Certificates from the Available snap-ins menu, and then click Add>. On the Certificates snap-in dialog box, select Computer account, and then click Finish. Click OK. -->Done
Expand Certificates (Local Computer). Select Personal. Right-click, and then select All Tasks and Request New Certificate. The Certificate Enrollment wizard starts.-->Done (But Blank No entries just add New option available)
On the Before You Begin page, click Next. -->Done
On the Request Certificates page, select the box next to Computer. Click the double chevron icon next to Details, and then select Properties.
-->Not Able to See Request Certificates page. If clicked on Add New--> Asking for Certificate Enrollment Policy Server Configuration.--> ENTER Enrollment Policy Server URI
What entries to make in Enrollment Policy Server URI field ??
Procedure 2: To request and install a server certificate to provide TLS encryption for all SMTP virtual server communication when you have an offline CA
Click Start, click Administrative Tools, and select Internet Information Services (IIS) Manager to open the IIS 7.0 Manager. -->Done
Select the server node. -->Done
In the Features pane, select Server Certificates. In the Actions pane, select Open Feature. -->Done
In the Actions pane, select Create Certificate Request. The Certificate Request wizard starts. -->Done
On the Distinguished Name Properties page, complete all fields, and then click Next.
--> Common Name:smtp.gmail.com
Organization: Organization's name
Organization Unit: Unit name
City: City name
State: State name
Country: Country Name
6. On the Cryptographic Service Provider Properties page, verify that Microsoft RSA SChannel Cryptographic Provider is selected and that Bit Length is set to 1024. Click Next.
-->Done
7. On the File Name page, locate where you want to save the file, and provide a name for the file. The file will have a .txt extension. Click Finish. -->Done
8. Submit the file to your CA. When the administrator has issued the certificate, a file that has the .cer extension is returned to you. -->Done
9. In IIS Manager, select the server node. In the Features pane, select Server Certificates. In the Actions pane, select Complete Certificate Request.-->Done
10. On the Specify Certificate Authority Response page, type the file path and name of the *.cer file or browse to the file location, select the file, and then click Open. Click OK to install the certificate.-->Done
11. Now checked in IIS (SMTP Virtual Server) 6.0 Access Tab- TLS Certificate--> No Success.
So got stuck again...
Thanks & Regards,
Ishan
Free Windows Admin Tool Kit Click here and download it now
January 2nd, 2012 7:48am
Hi,
Now I downloaded makecert.exe
Now I am going to try with Procedure 3:To create and install a self-signed server certificate to provide TLS encryption for all SMTP virtual server communication
I need information regarding parameters that should I use to generate the certificate?
What should be my command?
(And One more thing Might be useful for others: There is no need to download whole SDK for downloading makecert.exe . Use the web installer(winsdk_web.exe) and uncheck everything except Tools. Size: About 85MB.
file: C:/Program Files/Microsoft SDKs/Windows/v7.1/Bin/
and need to be run using as Administrator)
Thanks & Regards,
Ishan
January 4th, 2012 6:14am
Hi there,
I had the same issue in our integration and test environment. I found out that the key to success
is to have a certificate that shows the FQDN of the SMTP server. This certificate needs to have the purpose of "server authentication". Good news is that you can create self signed server certificates from within IIS Manager. Having created
on will enable the checkbox for TLS authentication.
Regards
Sven
Free Windows Admin Tool Kit Click here and download it now
November 14th, 2012 5:46pm