Conectare
Microsoft.com
 
Microsoft
 
 
 
Microsoft >
How to generate a CSR for an ISA server w/out IIS

已鎖定 How to generate a CSR for an ISA server w/out IIS

  • 15 mai 2009 17:58
     
     
    Sign in pentru a vota
    0
    Hello, Folks,

    What's SOP for generating a CSR for a perimeter ISA server without IIS installed on it?

    Thank you!
    AcroyearUSMC
       

    Toate mesajele

    • 17 mai 2009 19:12
      Moderator
       
       
      Sign in pentru a vota
      0
      You can use the certreq -new command to generate a CSR file and then copy it to a domain-joined system for issuing.  I have an example of the command routine here in a related blog article: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=49

      Full details on the certreq.exe command switches can be found here: http://technet.microsoft.com/en-us/library/cc736326.aspx
      Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
         
      • 19 mai 2009 17:52
         
         
        Sign in pentru a vota
        0
        Thanks, Jeff.  Will this work generating the CSR for a company like Digicert?  I'm assuming that I go ahead, make the CSR as per your tutorial and send that off to Digicert... my question would be how to re-constitute the cert once I have the cer file back from them.
        AcroyearUSMC
           
        • 19 mai 2009 18:01
          Moderator
           
           Răspuns
          Sign in pentru a vota
          0
          Yes, this will work for either internal public CAs.  The certreq -new command will create the CSR as a .txt file, which you can copy/paste into the webpage for Digicert or whatever vendor is bing used.  The resulting .cer file can then be imported into the original server with the certreq -accept command, or (what I prefer) by using the Ceritifcates snap-in to import it directly into the desired location (e.g. Local Computer\Personal store).
          Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
             
          • 19 mai 2009 18:24
             
             
            Sign in pentru a vota
            0
            Awesome.... thanks, Jeff
            AcroyearUSMC
               
            • 20 mai 2009 20:15
               
               
              Sign in pentru a vota
              0
              One more thing...

              Wouldn't we generate the CSR with something like Rather than the:

              [NewRequest]
              Subject = "CN=externalmeeting.company.com"
              Exportable = TRUE
              KeySpec = 1
              MachineKeySet = TRUE

              Rather than the:

              [NewRequest]
              Subject = "CN=mobileenroll.domain.com"
              Exportable = TRUE
              KeySpec = 1
              MachineKeySet = TRUE

              I guess I'm just wondering about the mobileenroll part of it (not the company.com), Jeff

              Thanks again
              AcroyearUSMC
                 
              • 20 mai 2009 21:08
                Moderator
                 
                 
                Sign in pentru a vota
                0
                Yes, that article was written specifically for Mobile Device Manager, so to use those steps for OCS-related tasks you'll want to ignore those hosts names and use your specific values.  whatever you've configured for as your ExternalWarmFarm FQDN is what you should be using for certificate related to publishing the ISA Reverse HTTPS Proxy rules.
                Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS