Tuesday, September 1, 2009

Certificate issue (Private key not installed)

Recently , I was working on OCS certificate issue. The issue in summary, is that I have requested a certificate for the OCS edge server as well as the Reverse proxy server (ISA 2006), the certificate holds multiple SANs in order to utilize it in both the OCS edge server for the Edge and the web conference roles, and also the Reverse proxy to allow downloading meeting contends and the address list.

Anyway, I have received the certificate, I import it on the ISA server and once I tried to select it on the web listener I get the error: Private Key not installed.

There is a very similar scenario in the exchange team blog ,the missing thing is that I should import the received certificate first on the machine that generate the request to get the private key pairs.

In my case I was requesting the certificate on the Edge server. So, we need to first import the certificate on the edge server to get the certificate working properly with its private key, and then export it to be installed on the ISA server.

So let's go to the edge server

Click the certificate link on the right pane to launch the certificate wizard, click next

Then we have to choose process an offline certificate……

Then browse to the path of the certificate file that has been downloaded from the 3rd party CA, and finish.

Assigning the certificate

Let's access the certificate wizard, but this time we shall choose Assign an existing certificate
On the Available Certificate screen choose the imported certificate and click Next
On the next screen, I shall choose two options
I choose to assign the certificate for both the access edge and web conference, because I had already requested a certificate with multiple SANs that include them.

And Next then Finish.

Now to export the certificate we should run new MMC, from the file menu choose Add/remove snap-ins

Then add, and choose Certificates, and
make sure to choose computer account, and click Next
Then click finish.

From the certificate console, go to the certificate folder under personal, you should find the imported certificate there, right click it and choose export from all tasks.
Click Next on the Welcome to the certificate export wizard

Make sure to choose the first option on the next dialog and click Next
And ensure to choose enable strong protection and click Next
On the next window, set a password and click Next.
Then specify a name for the file and location.

And finally finish.

We can use the same way now to import it on the ISA server, from the certificate console we shall right click certificate and choose Import from all tasks
Click Next on the welcome screen,

Specify the path of the file on next screen and click Next,

Specify the password for the file and click Next,

Make sure you choose the second option on the Certificate store screen, and click Next
And then finish.
Now back to the ISA console, trying to select the imported certificate on the web listener is successful

You can notice that the private key is correctly installed.
Moreover testing the rule is giving successful completion.

To verify access through the Reverse Proxy:

Open a Web browser, type the URLs in the Address bar that are used by clients to access the

Address Book files, Live Meeting content and Distribution Group expansion where

https://externalwebfarmFQDN is the external FQDN of the reverse proxy server.

• For Address Book Server type https://externalWebFarmFQDN/abs/ext User should

receive an HTTP challenge.

• For Web conferencing, type https://externalWebFarmFQDN/conf/ext/Tshoot.html

This URL should display the troubleshooting page for Web conferencing.

• For group expansion type

https://externalWebFarmFQDN/GroupExpansion/ext/service.asmx User should receive an HTTP challenge.


JBL said...

That it's great.
two days i've been searching for that good damn personal key :)

Cheers Mate

M_Al-Enezi said...

You are most welcome:)

EMTF said...

very good, I used the procedure of export and import in ISA and it worked perfectly.

EMTF said...
This comment has been removed by the author.