locked
CWA MTLS Certificate during install RRS feed

  • Question

  • I have a new 2007 R2 OCS setup that I am now trying to setup CWA. During the install I keep getting an error - The certificate you selected is not valid. Please select a valid MTLS certificate.

    I've tried multiple ways but cannot seem to get a valid cert. The CA is an internal 2008 R2 Enterprise Server that has issues the certs to the OCS server fine.

    I tried to use the following command line -

    LcsCmd.exe /Cert /Action:Request /sn:server.xxx.local /san:cwa.server.xxx.local,download.server.xxx.local,as.server.xxx.local /ca:ca.xxx.local\CA /OU:xxx /org:xxx /country:xx /city:xxx /state:xxx /friendlyName:CWA_Certificate /exportable

    I then import the certificate and it looks fine, but doesnt work. I've with and without the SAN as well.

    I've also tried from the OCS 2007 R2 Management Console and the CA Web Server (https://ca.xxx.local/CertServ).

    I also setup a new certificate template and made the private keys exportable.

    I'm stumped...Does anyone have any idea.

    Also, the certificate template is for Server Authentication as the Intended Purpose. Should this be different?

    Thursday, November 19, 2009 2:20 AM

All replies

  • So I finally fixed this....

    ended up that I needed to request the certificate, import it to the local stores, then export it again with the private key and re-import to the computer store marked as exportable.....

    Monday, November 23, 2009 3:35 AM
  • Hi,

    I am getting the exact same error. How do you export the Certificate with the private Key? I have no option available when doing it with the cert.msc... It only summarizes that no Keys are exported.. Same with the exportable mark when I import it again..

    I would appreciate your input, since I am stuck here..

    Thanks!
    Dennis
    Wednesday, December 2, 2009 2:47 PM
  • Dennis,

    If your original certificate request was not configured to allow the private key to be exported, then you will not be presented with that option.  If this is the case than unfortunately you cannot export that cert/key pair from the computer it's currently installed on.  You would need to preform a new certificate request and replace that existing certificate.

    It's also possible that the certificate you are attempting to export doesn't even have the private key 'in' it, so you'd be in the same boat.

    Although not OCS-related, this blog article covers some of those concepts, you may want to check it out:
    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=49


    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Wednesday, December 2, 2009 4:04 PM
    Moderator
  • The curious thing is, that I used the /exportable parameter when doing the request (MTLS) with lcscmd...:

    LcsCmd.exe /Cert /Action:Request /sn:cwa.domain.com /filename:d:\CWACertMTLS.txt
     /OU:Computers /org:"Test AG" /country:DE /city:City /state:State /friendlyName:CWA_Certificate /exportable:TRUE /online:false

    I still get no option to export the key.. is there any other workaround to get this Certificate working? When I used a online CA it worked beautiful, but at the moment a online CA is not available..
    Thursday, December 3, 2009 8:37 AM
  • I could get it working by importing it with lcscmd:

    LcsCmd.exe /Cert /Action:ImportResponse /Filename:c:\CertResponse.cer
    Now I have a corresponding private Key... the MMC Snap-In didn't do it..

    Thanks anyway!
    Thursday, December 3, 2009 2:27 PM