locked
CWA Certificate is automatically removed from IIS binding RRS feed

  • Question

  • I have two certificates.  A MTLS certificate from my local certificate authority for the server FQDN.  This certificate installs fine through the CWA GUI.  I have another certificate, from a public issuer, for im.domain.com with SAN names download.im.domain.com and as.im.domain.com.  When I try to install this certificate, I get this warning:

    The certificate you selected is ussed for a subject that differs from the fully qualified domain name (FQDN) of this server.  If you continue, clients and other servers may not be able to connect to this server.  Do you wish to proceed with this certificate?

    Now, this warning is technically correct.  My certificate does not match the FQDN of the server.  But, it's not supposed to, it's supposed to be im.domain.com.  So what gives?  I have also tried this same certificate with the FQDN present in the SAN section, and receive the same error.

    Furthermore, if I assign the certificate anyway, within 15 minutes the IIS site for CWA loses the certificate settings in the SSL binding.  Its the strangest thing.  I'll assign the certificate, either through the CWA GUI or through the IIS bindings GUI.  Shortly thereafter I can no longer login to the CWA site, and I find that the HTTPS binding for my CWA site in IIS says "No certificate", and I have to reassign the certificate.  I've created a script that automatically assigns the certificate every 15 minutes, but that's far from ideal.

    Lastly, I've noticed another weird behavior.  When I open the CWA GUI and expand all the way down to the node that shows the "Connectivity" settings, it never loads the certificate settings.  The "HTTPS" line has a green check mark.  Every other line related to the certificate and IIS site always say "Retrieving data...".  The Next Hop Connections area also says "Retrieving Data..."

    My platform is Windows 2008 X64.
    • Edited by Ed051042 Friday, July 17, 2009 12:22 PM
    Friday, July 17, 2009 12:19 PM

All replies

  • So the first thing to check is that the Subject name matches the first SAN name. does it?


    Mitchr |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Friday, July 17, 2009 12:51 PM
  • Thank you for your reply.

    Yes, the subject name of the certificate matches the first entry in the SAN field.
    Friday, July 17, 2009 12:52 PM
  • I have not seen this before but I have a new CWA server to setup this weekend so I might try playing with it to see if i can get the same response. Usually the error you are getting indicates that the certificate is trying to be used for MTLS (which can be different the the CWA FQDN). so I wonder if you assign it then go check the MTLS cert and reassign it to the correct one whether that will help.


    Mitch Roberson |MCITP:Enterprise Server Admin, Messaging |MCTS:OCS with Voice Achievement |MCT
    Friday, July 17, 2009 8:41 PM