locked
Edge: choose certificate screen is blank RRS feed

  • Question

  • Has anybody faced such a situation: cert request created on the edge machine,
    response received, cert imported, cert console shows no error: chain of trust is OK
    (subordinate CA issued the certificate).

    But, if I want to choose the cert from the wizard, the list is completely blank, I cannot choose
    that certificate.

    First time there was an issue with the intermediate CA's cert, but it was replaced with the correct one,
    and now the edge's certificate error: "nonvalid signature" is gone.

    The cert has got the valid FQDN name, webserver template, expiration date is in the future etc...
    Friday, May 30, 2008 2:12 PM

Answers

  • Thx, I solved the problem. Deleted all the certs and CA certs, re-created the cert, and saved including the whole certificate chain. Now it works like charm Smile
    Monday, June 2, 2008 8:44 AM

All replies

  • Did you use the OCS wizard to request and later import the certificate?  If not, the certificate could be stored in the wrong location on the Edge server.

     

    Friday, May 30, 2008 8:13 PM
    Moderator
  • Yes, I created the request using the wizard, the cert is visible under the personal store for the computer account.

    After some time I figured out, that there is some kind of trusting problem between the certificates. I skipped the wizard, and used the admin tool to congigure the certs on the edge, and it was able to list the generated certificate, however after applying it also said, that I have to choose a certificate from a trusted source, and ignored my certificate. So it has to be some kind of hiddent trust problem, although the certificate mmc console shows no errors. Strange indeed.
    Saturday, May 31, 2008 7:35 AM


  • I would suggest to check if you can download the crl of the cert!

    If cert is fine then only OCS cert wizard will let you see the cert.. avoiding OCS cert wizard is not going to resolve the issue.


    Regards,
    R. Kinker
    MCTS - LCS 2005, MCTS - OCS 2007
    http://www.ocspedia.com
    http://www.itcentrics.com/LCS_Home.htm
    Sunday, June 1, 2008 9:44 AM
  • Hello Richard,

     

    is your edge server trusting the root CA? Please verify that the CA is on the list of trusted root CAs!

    If it is not in the MMC Certificates, Trusted root CA's on the Edge Server, you need to export it from the CA and import it on the Edge Server.

     

    Best regards,

    Jan

    Sunday, June 1, 2008 12:02 PM
  • Thx, I solved the problem. Deleted all the certs and CA certs, re-created the cert, and saved including the whole certificate chain. Now it works like charm Smile
    Monday, June 2, 2008 8:44 AM
  •  

    What you probably did was created a certificate request, but didn't have a valid certificate with a private key.

     

    I do this on purpose to get my external certs at one time, and cancel the requests as I go, saving the requests in text files to submit to a 3rd party certificate authority.

     

    I simply fix the certficates (by getting the private key) by going to the server I did the original request from and follow the article:

     

    How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate in Internet Information Services

    http://support.microsoft.com/kb/889651/en-us

     

    Without doing the above, the certs "look" ok, but have no private key...so they are not valid for OCS.

     

    -------

     

    The 2nd time through, you probably just ran through the wizard and did an immediate request directly to your CA, which created certs with a private key.

     

    Cheers.

     

    - Steve

     

    Wednesday, June 11, 2008 3:11 PM
  • I still say, that the certificate seemed to be 100% OK, as it HAD a valid private key, according to the certificate MMC snap-in Smile
    Wednesday, June 11, 2008 5:19 PM
  • If it had the pirvate key - then it was a different issue than what I've seen.  Smile


    You can do a "certutil -dump" on the exported certificates (good vs. bad) to find out the differences,

    maybe one of the differences was the reason.

     

    Cheers.

     

    - Steve

     

    Wednesday, June 11, 2008 5:41 PM