locked
CWA unable to find certificates RRS feed

  • Question

  • Hi guys

    I'm trying to set up CWA but I've run into a brick wall. According to the
    Planning and Deployment guide, I'm supposed to install my CA chain on the
    CWA server (which I did), and then request a new webserver certificate,
    install it (all done) and then perform step 2 of the installation. 



    I get past the "Select domain service account" but when I press the Select
    Certificate button in the next step, I have no certificates listed. 



    Following the planning and deployment guide I noted that the certificate I
    requested (for chdevweb01.devlab.ch which is the fqdn of my cwa server) has
    been put in the personal section of the current user certificates, but not
    under the Trusted Root Certification Authorities under Local Computer. So I
    copied the certificate and tried again, but once again I don't see any
    certificates listed for selection. 



    What also bothers me a bit is that the planning and deployment guide says
    that if the certificate doesn't show up as trusted root, you'd copy it from
    the personal certificates just above.. but the certificate in question isn't
    listed under the personal certificates of local computer, but the personal
    certificates of current user. 



    I did try to copy the certificate to both trusted root folders (local
    computer and current user) but to no avail so I have now officially run out
    of ideas on what to do. 


    Does anybody have an idea what could cause this and how to get the installer
    to find my certificate? 


    Regards
    Stephan
    Monday, August 4, 2008 2:21 PM

All replies

  • Stephan, I would suggest only dealing with the Local Computer store. You can ignore the User's personal and Trusted CA stores.

    Install the certificate chain's root CA certificate into the Local Computer Trusted CA store.
    Install any intermediate CA's in the Local Computer Intermediate CA store.
    Finally, install the actual cert for your CWA site name into the Local Computer Personal store.
    Monday, August 4, 2008 4:53 PM
  • Hi Stephan,

    I would suggest that you request the cert via the IIS cert wizard. it will place the certs in the correct store automatically. Otherwise, as Tom mentions, put the actual cert in the computer store, while the root cert goes in the truster root store of the computer.

     

    Regards,

    Matt

     

    Monday, August 4, 2008 6:33 PM
  • Hi

    I decided to start from scratch again so I removed the cert I requested from any place I could find it and even removed the certificate chain of my domain. Then I went to

    http://my-domain-controller/certsrv

    clicked on "Download a CA certificate", certificate chain or CRL, then clicked on "install this CA certificate chain" (the name being devlab-CHDEVAD01-CA)

    (that's a process I did on any of my OCS servers). Now I see that certificate under the Trusted Root Certificate Authorities under Current User (the current user is the domain admin), but not under Local Computer.

    Then I visit the same URL again, and this time I select "Request a certificate", then "advanced certificate request" and
    "Create and sumit a request to this CA".

    I chose the Web Server certificate template, enter the fqdn of the box (chdevweb01.devlab.ch) as name and friendly name and I enter the organizational information while leaving anything else untouched.

    then I submit the request, and after the confirmation popup I click on "Install the certificate".

    Now I see that certificate under the Personal Certificates of the Current User.

    This process is the same as I did for my edge server (where I have no certificate issues).


    The results (as outlined above) do differ from my edge server though - on the edge server I have my certificate chain listed both under current user and local computer, and in the personal certs under current user I have 3 certs (with the names of my access edge, a/v edge and web edge server) and 4 certs in the personal folder in local computer (the 3 I also have under current user, plus the one for the internal fqdn of the edge server).


    So I copied the cert chain again from current user to local computer and likewise for the certificate I requested and that ended up in the local user's personal folder, then retried the setup. And wouldn't you know, now I can actually select the certificate, but when I try to get to the next step I'm being told that the certificate is incorrect.

    So what is going on here?

    Regards
    Stephan
    Tuesday, August 5, 2008 1:32 PM
  • Stephan, I would imagine there's probably some kind of certificate option you selected on the certsrv page that invalidated the certificate for use with OCS.

    Usually I recommend using the OCS Certificate Wizard because it will use the correct templates and options. You can run the wizard from any machine with the OCS admin tools installed and after you create the cert simply export the certificate (don't forget to include the private key!) to a file and then import it on the CWA box. Or you could just install the OCS console on the CWA box and run the wizard locally. It will take care of putting the cert in the appopriate store as well.
    Tuesday, August 5, 2008 7:01 PM
  • Tom

    I recall that installers for various roles have a certificate wizard, but CWA isn't one of them and I'm unable to find a certificate wizard in the reskit either so I'm wondering which tool (filename, or where in the management console, or which options to click through in the installer) your suggestion refers to.

    Actually, I see a wizard in the admin console I have on the the OCS itself.. and I managed to install it on my CWA server but the certificate wizard doesn't show up.

    Could you tell me what you mean by
    "don't forget to include the private key!" (as in which option do I click where)?

    I've been going through the documentation step by step again and I cannot wrap my head around a few things:

    For the MTLS certificate, step 5 is selecting the webserver certificate that you duplicated for the OCS2007 certificate - but I never did that - I used the certificate tools in the OCS installer. So all I have is the standard webserver template.
    In the installing the MTLS certificate part, step 12 seems to suggest there's a bug in the software.. it cannot be that a cert may not be imported on some machines, can it (and as it happens after deleting everything and trying to re-add them, I don't even see the requested and imported certificate anymore)

    Then there's the step about requesting and installing an SSL certificate which contains no useful information whatsoever.

    Somehow this whole thing just doesn't make sense.

    Could somebody give me a dummy's guide to setting up the certificates, stating with a blank slate server (so no copied certificate templates or anything the like) so that I can try that?

    Regards
    Stephan



    Wednesday, August 6, 2008 8:30 AM
  • I finally got it working. However, the solution is something completely different than any suggestions I found online and the documentation. I had to open up the management console, add the certificate snapin for local computer, then go to the personal certificates (where there was my existing certificate which I also added to IIS.. no problems there) and request a new certificate. This created a computer certificate.. and that did the trick. No idea why as the cert seems of a different type than any other certs I have in my OCS setup, but at least the cert was finally accepted.
    Wednesday, August 6, 2008 6:07 PM
  • I had this exact problem setting up CWA 2007 R2 on 2008 R2 and Stephan's solution worked. 

    Then I discovered that CWA didn't work and isn't supported on 2008 R2:(
    Friday, August 28, 2009 2:59 PM