locked
Privat key handle error applying certificate in ISA2006 RRS feed

  • Question

  • Hi all,

    I'm trying to create a reverse proxy for OCS by making a web site firewall policy in ISA 2006 but I'm stuck with a private key handle error with one of my certificates. I am able to import it as a valid vertificate but once I would like to apply it on the listener in ISA I'm seeing the Private key handle error. 

    The strange thing is that when I import my certificate on the ISA server, and I open the MMC certificate console it is recognised as a valid certificate. After importing it will be placed in the Personal folder of the  Current User Certificates. So to make it selectable in the listerner configuration I'm moving it to the Personal folder of the  Local  Computer Certicates.

    I was following all the steps on the following sites but I'm still stuck with the private key handle error.

    http://www.microsoft.com/technet/isa/2004/plan/tscerts.mspx

    http://forums.microsoft.com/Ocs2007publicbeta/ShowPost.aspx?PostID=1768874&SiteID=57

    I have tried the folowing:

    • creating and exporting the certificate from the IIS web server on the OCS machine, then importing it on the ISA machine
    • exporting the private key with the certificate
    • using the certificate wizard in OCS to create and export a certificate; this gives the same error in ISA
    • using the right fully qualified name (subject name is public domain name, alternative name is intrnal OCS name) for the certificate
    The strange thing is that the certificate is valid when clicking on it on the ISA machine.

    What else could I try?

    /Thomas





     
    Tuesday, August 7, 2007 7:06 AM

Answers

  • We got it running.

     

    There was nothing wrong with the certificates created but you should import it on the local computer (certificate MMC) on the ISA machine. Right click on the MMC certificate tree, follow the import wizard steps and it will be installed under the personal folder (this is the default and right location). Now the pivate key error doesn't occur anymore.

     

    Regarding ISA 2006 we have discovered that our current installation was malfunctioning. It couldn't be configured anymore with a reverse proxy. It simply couldn't redirect traffic to the internal OCS machine anymore....

     

    We have re-installed another virtual instance with ISA2006 and configured it exactly the same. This time the reverse proxy works as designed! We still don't know why our previous ISA installation couldn't be configured ... maybe the software version is from another build and has some bugs.

     

    So my advice is to follow the step in the Edge Server Deployment guide regarding the reverse proxy. And for creating certificates the certificate wizard in OCS is the best tool. You can easily create certificates for all your servers that should be accessible with an internal and external fully qualified name. 

     

    That's it for now.

     

    /Thomas

    Saturday, August 11, 2007 5:14 AM

All replies

  • If you open the local computer Certificate Manager, you should be able to import the Certificate directly using the Certificate Import Wizard.

     

    The imported local computer certificates should be visible in ISA.

    Tuesday, August 7, 2007 9:42 AM
  • I have tried this already but it doesn't work. I 'm still getting the private key error.
    Tuesday, August 7, 2007 1:08 PM
  • We got it running.

     

    There was nothing wrong with the certificates created but you should import it on the local computer (certificate MMC) on the ISA machine. Right click on the MMC certificate tree, follow the import wizard steps and it will be installed under the personal folder (this is the default and right location). Now the pivate key error doesn't occur anymore.

     

    Regarding ISA 2006 we have discovered that our current installation was malfunctioning. It couldn't be configured anymore with a reverse proxy. It simply couldn't redirect traffic to the internal OCS machine anymore....

     

    We have re-installed another virtual instance with ISA2006 and configured it exactly the same. This time the reverse proxy works as designed! We still don't know why our previous ISA installation couldn't be configured ... maybe the software version is from another build and has some bugs.

     

    So my advice is to follow the step in the Edge Server Deployment guide regarding the reverse proxy. And for creating certificates the certificate wizard in OCS is the best tool. You can easily create certificates for all your servers that should be accessible with an internal and external fully qualified name. 

     

    That's it for now.

     

    /Thomas

    Saturday, August 11, 2007 5:14 AM
  • Worked like a charm.
    Thank-you
    Friday, October 9, 2009 5:17 AM