locked
CWA certificate creation for ISA... RRS feed

  • Question

  • Sorry, probably being thick here but I have an issue creating the CWA.domain.com certificate for the Workgroup ISA. I've tried using my local machine MMC but the domain internal CA complains that the cert has no template. I've also looked at running the request via IIS within CWA server but that also complains from the internal CA.

    Is there a tool I can use easily just to create a cert for the ISA external public website URL? I've added the internal root CA to ISA mmc certs console - I know this will limit the functions of CWA just to machines that recognise the company CA but that's fine.
    Thursday, September 24, 2009 3:28 PM

Answers

All replies

  • Are you attempting to perform an offline certificate request on the ISA server itself? Or trying to create the request on the internal CWA server and trying to export the cert/key package to import into the ISA server?

    Take a look at these articles as they may help:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=72
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=49

    (The latter is related to SCMDM and not OCS, but the concepts are the same in terms of getting the certificate requested from an internal Enterprise CA and then imported on the workgroup ISA server.)


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, September 24, 2009 4:59 PM
    Moderator
  • Hey Jeff,

    It's the ISA (workgroup) cert for the external public CWA URL, ie HTTPS://cwa.domain.com/*

    I've got the CWA server itself sorted with internal CA cert and root CA certificate, I've also got the internal CA root cert on the ISA but having issues getting any wizard to produce a cert with CWA.domain.com.

    I'll give it another go on tuesday when I'm back from hols, as usual, cheers for your assistance again.
    Friday, September 25, 2009 10:43 AM
  • Hi Jeff,

    I really fancy using the certreq command but not sure what extra info I'll need for the OCS CWA certificate on the ISA server, the blog just lists very few details in the inf file as below:

    The Process

    Request, issue and install a new certificate on an internal domain-connected server (in this case the SCMDM Enrollment Server).

    • Create a new text file C:\NewCertReq.inf and type the following text in (do not cut/paste from this article), replacing domain.com with your public domain name:

    [NewRequest]
    Subject = "CN=mobileenroll.domain.com""
    Exportable = TRUE
    KeySpec = 1
    MachineKeySet = TRUE

    Will I need more than that, than say "CN=CWA.domain.com" when using an internal CA to produce the response/public key? I remember the other OCS certs requiring various fields for Company, State, etc, etc. Just to confirm again, this cert is to go on the ISA proxy server for the web listening setup that will allow external users to connect via web browser to OCS CWA.
    Tuesday, September 29, 2009 12:20 PM
  • Take a look at the new OCS Certificate White Paper from Microsoft.  It covers in detail how to issue requests for all OCS certificates using the certreq command:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=77
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, September 29, 2009 3:16 PM
    Moderator
  • thanks Jeff.
    Tuesday, September 29, 2009 4:04 PM
  • Jeff, sorry back again...

    I've got a problem with the LCSCMD command, it gives an error:

    Task failed: A certificate Authority must be specified.

    I've since added the command "/ca:dc.contoso.com\contoso-CA" but using my internal domain CA details, I then get "unexpected switch /ca=****.localdomain.local/sipdomain.com" Error (OxC3EC7944)

    Just when I though the LCSCMD tool looked easy lol.
    Wednesday, September 30, 2009 11:57 AM
  • Your command syntax appears to be incorrect, as the opening quotes should be after the swithc, not before it, as in:

      /ca:"dc.contoso.com\contoso-CA"

    But since you don't appear to have any spaces in the CA path then the quotes are not even required.  So instead use this format:

      /ca:dc.contoso.com\contoso-CA


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, September 30, 2009 12:09 PM
    Moderator
  • Sorry Jeff, that was me trying to say the command is "....", I'd put it in without "" but still complained. I wonder if its because my CA has constoso.CA instead of contoso-CA, if that makes sense?

    I've just tried it with "" after ca: but same error....Odd.

    My format is as follows /ca:servername.domain.local\sipdomain.com or /ca:"servername.domain.local\sipdomain.com" both fail.

    Wednesday, September 30, 2009 12:16 PM
  • Found it, my mistake, had equals sign instead of :, what a plonker.

    Cheers again.
    Wednesday, September 30, 2009 12:19 PM