Clicky

Hi

Server 2008 SBS logged in remote and locally as administrator (in group Domain Admins)
MMC snapin Certificates (Local Computer)
MMC snapin Certificates Templates
MMC snapin Certification Authority (Local Computer)

The “issued to: SITES” certificate has expired (Outlook shows this every time its opened when it connects to Exchange), I cant renew it because of this.  I assume I will need to create a new WEB SERVER certificate from the template then add to the SITES in IIS.

When I try to “Request” a Web Server certificate its saying I have no authority to do this.  In fact the only one I can create is “Domain Controller”.

Ive checked the security tab of the Web Server template and this shows “Domain Admins” as having “Read”, “Write”, “Enrol”, I also tried putting “Full Control” which didn’t fix this.

I tried the same thing on another 2008 SBS and its identical so how do I renew or create a new SITES certificate for the Web Server?

Many Thanks
Ashley

asked 08/25/2011 06:15

Greaume's gravatar image

Greaume ♦♦


11 Answers:
Try adding the machine name (hostname) of the server to the templates ACL. Give it Read, Write and Enroll permissions.

Shmoid
link

answered

Shmoid's gravatar image

Shmoid

The ACL for each template is a standard Domain User / Group adding system, how do i add the server name? (its the standard Microsoft "Security" tab type entry.
link

answered 2011-08-25 at 15:00:21

Greaume's gravatar image

Greaume

On the security tab after you click the add button click the object type button and make sure computer is selected. (It is not selected by default) After selecting computer objects and clicking okay just add the computer name the same as you would add a user or group and click the check names button to make sure it sees the computer. Click okay. After the computer has access to the template it shoud be able to enroll.

Shmoid
link

answered 2011-08-26 at 06:12:30

Shmoid's gravatar image

Shmoid

Hi

What i did here was replicated all the security from the Domain Controller certificate, this then worked, so not sure why it didn’t fully work before, however it appears by default only the Domain Controller certificate has all the security needed to allow creation.

I have run into another problem with the certificate itself so will ask here.

When creating a Web Server certificate using the MMC, how do i specify which services will use it, only IMAP and POP are in use by the certificate that is created, however I  need IMAP, POP, IIS and SMTP (as this is what in use by the current certificate), how do i select which services are available to this certificate using the MMC and request new certificate?

Many Thanks
link

answered 2011-08-26 at 06:35:05

Greaume's gravatar image

Greaume

It worked because you added the domin controller group to the ACL for the template. The computer being ans SBS server would have been a memeber of that group and as such now has rights to that certificate template.  If it had been a member server and not a domain controler it would not have worked.  Just for your information adding the computer name to the template would have worked just the same. Since you got that working let's address your new question.

You don't assign services to the certificate at the time of creation. In fact, it's just the opposite. After you install the cert you bind it to the necessary applications/services. For example, after you install the cert into the computer store, you bind the cert to port 443 in IIS, you bind IMAP, POP and SMTP in exchange.
link

answered 2011-08-26 at 07:54:33

Shmoid's gravatar image

Shmoid

Hi

The services makes sense, how do i bind IIS and SMTP to this new certificate, i have not yet revoked the old (out of date) one as yet.

Many Thanks
link

answered 2011-08-26 at 08:15:14

Greaume's gravatar image

Greaume

I don't have access to an exchange server, a differnt group than mine manages them. But somewhere in Exchange manager there is a server configuration that will list the certificate and you can choose the services you need. Just check the box next to IIS, IMAP, POP and SMTP. Sorry I can't tell you exactly where it is.
link

answered 2011-08-26 at 08:27:08

Shmoid's gravatar image

Shmoid

Hi

Ive checked, Exchange 2010 has a Certificates TAB in the management console, however Exchange 2007 doesn’t :( still abit stuck how to do this....
link

answered 2011-08-26 at 09:23:41

Greaume's gravatar image

Greaume

Try this command:

Enable-ExchangeCertificate -Thumbprint <String> -Services <None | IMAP | POP | UM | IIS | SMTP> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-Force <SwitchParameter>] [-WhatIf [<SwitchParameter>]]

Here's an example. Put the thumbprint from the new cert that you installed.

Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services "POP, IMAP"
link

answered 2011-08-29 at 06:29:26

Shmoid's gravatar image

Shmoid

Greaume,

Did you try the example?
link

answered 2011-08-29 at 07:37:09

Shmoid's gravatar image

Shmoid

I believe I answer the original question correctly as well as follow ups.
link

answered 2011-09-01 at 07:52:09

Shmoid's gravatar image

Shmoid

Your answer
[hide preview]

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Tags:

×1
×1

Asked: 08/25/2011 06:15

Seen: 197 times

Last updated: 11/16/2011 12:45