certificate renewals on a box with multiple certificates
Hi All We have ISA2006 publishing owa and Symantec Enterprise Vault. On the ISA server I looked via the MMC and there's 2 certs ev.blah.com and owa.blah.com both from thawte. Same thing on our two exchange 2003 front end servers. What I'd like to do is generate a renewal request for the ev.blah.com certificate. But if I run the wizard from the default website level I don't get a renewal option which is what I want. If I run it with the 'assign a certificate' box checked it does show both certificates there. If I try on a subsite the 'server certificate' button is greyed out. I suppose I could export the cert via the MMC - import it into another server that doesn't have any cert and do the renewal from there - but that's not exactly convenient. Any ideas greatly appreciated. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: certificate renewals on a box with multiple certificates
If you just want a quick-n-dirty way to do this via the GUI: In IIS create a new website (just a dummy one). Run it on some arbitrary port Assign the certificate you wish to renew Use the wizard to generate the necessary renewal CSR Submit the CSR, and get your new certificate Import it into IIS via the wizard Assign the renewed cert to the real site (or export the cert and import onto your real server) Delete dummy website Cheers Ken From: Kevin Edwards [mailto:[EMAIL PROTECTED] Sent: Wednesday, 14 May 2008 5:26 PM To: NT System Admin Issues Subject: certificate renewals on a box with multiple certificates Hi All We have ISA2006 publishing owa and Symantec Enterprise Vault. On the ISA server I looked via the MMC and there's 2 certs ev.blah.com and owa.blah.com both from thawte. Same thing on our two exchange 2003 front end servers. What I'd like to do is generate a renewal request for the ev.blah.com certificate. But if I run the wizard from the default website level I don't get a renewal option which is what I want. If I run it with the 'assign a certificate' box checked it does show both certificates there. If I try on a subsite the 'server certificate' button is greyed out. I suppose I could export the cert via the MMC - import it into another server that doesn't have any cert and do the renewal from there - but that's not exactly convenient. Any ideas greatly appreciated. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: certificate renewals on a box with multiple certificates
Thanks Ken - I'd thought that assigning it moves the cert but from what you're describing it's more like a pointer i.e. we want this cert to apply to these sites and this cert to apply to this other group of sites. Is this something I could safely play with during the day on this production box? Ken Schaefer [EMAIL PROTECTED] wrote:If you just want a quick-n-dirty way to do this via the GUI: In IIS create a new website (just a dummy one). Run it on some arbitrary port Assign the certificate you wish to renew Use the wizard to generate the necessary renewal CSR Submit the CSR, and get your new certificate Import it into IIS via the wizard Assign the renewed cert to the real site (or export the cert and import onto your real server) Delete dummy website Cheers Ken From: Kevin Edwards [mailto:[EMAIL PROTECTED] Sent: Wednesday, 14 May 2008 5:26 PM To: NT System Admin Issues Subject: certificate renewals on a box with multiple certificates Hi All We have ISA2006 publishing owa and Symantec Enterprise Vault. On the ISA server I looked via the MMC and there's 2 certs ev.blah.com and owa.blah.com both from thawte. Same thing on our two exchange 2003 front end servers. What I'd like to do is generate a renewal request for the ev.blah.com certificate. But if I run the wizard from the default website level I don't get a renewal option which is what I want. If I run it with the 'assign a certificate' box checked it does show both certificates there. If I try on a subsite the 'server certificate' button is greyed out. I suppose I could export the cert via the MMC - import it into another server that doesn't have any cert and do the renewal from there - but that's not exactly convenient. Any ideas greatly appreciated. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: certificate renewals on a box with multiple certificates
Hi, The way certs work in IIS is: a) The metabase has a node called SSLCertHash that contains the thumbprint of the cert you want to use b) The certs are stored in the local Machine certificate store. Each cert has a thumbprint property. See: http://www.adopenstatic.com/cs/blogs/ken/archive/2007/05/12/5050.aspx for some pictures of what I mean. Since the certs are stored in the certificate store, you can manipulate them just like any other cert (e.g. using certutil.exe). But if you just want a quick one-off way of renewing a cert you can do what I wrote below to generate a new CSR to send to Thawte. Cheers Ken From: Kevin Edwards [mailto:[EMAIL PROTECTED] Sent: Wednesday, 14 May 2008 7:54 PM To: NT System Admin Issues Subject: RE: certificate renewals on a box with multiple certificates Thanks Ken - I'd thought that assigning it moves the cert but from what you're describing it's more like a pointer i.e. we want this cert to apply to these sites and this cert to apply to this other group of sites. Is this something I could safely play with during the day on this production box? Ken Schaefer [EMAIL PROTECTED] wrote: If you just want a quick-n-dirty way to do this via the GUI: In IIS create a new website (just a dummy one). Run it on some arbitrary port Assign the certificate you wish to renew Use the wizard to generate the necessary renewal CSR Submit the CSR, and get your new certificate Import it into IIS via the wizard Assign the renewed cert to the real site (or export the cert and import onto your real server) Delete dummy website Cheers Ken From: Kevin Edwards [mailto:[EMAIL PROTECTED] Sent: Wednesday, 14 May 2008 5:26 PM To: NT System Admin Issues Subject: certificate renewals on a box with multiple certificates Hi All We have ISA2006 publishing owa and Symantec Enterprise Vault. On the ISA server I looked via the MMC and there's 2 certs ev.blah.com and owa.blah.com both from thawte. Same thing on our two exchange 2003 front end servers. What I'd like to do is generate a renewal request for the ev.blah.com certificate. But if I run the wizard from the default website level I don't get a renewal option which is what I want. If I run it with the 'assign a certificate' box checked it does show both certificates there. If I try on a subsite the 'server certificate' button is greyed out. I suppose I could export the cert via the MMC - import it into another server that doesn't have any cert and do the renewal from there - but that's not exactly convenient. Any ideas greatly appreciated. ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
