Re: Cert generation in Windows SBS 2008

Try a couple of things;

a) install and run the SBS 2008 BPA and see what it turns up.
b) run the "fix my network wizard"

If neither works, it will be question and answer time:

a) what is the name you used on the certificate?
b) what is the URL you use to access RWW?
c) was this a migration, or a fresh (new domain) installation?

--
Les Connor [SBS-MVP]


____________________________
"Max C" <> wrote in message
news:60a2bd4e-d959-4d11-b9b2-...
>I just installed a new SBS 2008 server and was denied access to RWW...
> citing a problem with the certificate. To make a very long story
> short, I went into the CA management window and Revoked the 2
> certificates there, deleted the Certificate Installation package and
> went into the Internet Address Wizard and ran it again.
>
> After running the wizard, I could see a new cert in the CA management
> window, and could verify that it was, indeed, the cert being used by
> the RWW website.
>
> The problem is that the cert that was included in the Installation
> Package I'm supposed to give out to the remote users isn't the same
> cert I can see in the CA management window or the RWW web site. It
> has a different name as well as a different serial number.
>
> I know that the wizard isn't creating 2 different certs because the
> cert in the installation package is dated yesterday. It probably the
> 1st cert generated by the SBS 2008 installation. The question is,
> where is that cert and how do I replace it? It's not listed in the CA
> management window.
>
> Thanks for any insights. I'm far from a cert pro, so feel free to
> talk down to me.
>
> Max.

And, after doing all this and browsing to
https://remote."mypublicdomain".com/remote (say, from the SBS server
console), do you still get an invalid cert?

If you install the cert on a workstation in the lan, can you go to the above
URL, same behaviour?

--
Les Connor [SBS-MVP]


____________________________
"Max C" <> wrote in message
news:b972a284-5e12-4634-8397-...
Thanks for the reply, Les. Answers in line below.


> Try a couple of things;
>
> a) install and run the SBS 2008 BPA and see what it turns up.

I installed the Best Practices Analyzer and ran it. It found only 1
thing, which was:
"The Network Service is missing local activation permissions to the
IIS WAMREG admin Service in accordance with the event ID 10016 in the
system event log. For more information, see KB "Event ID error
messages 10016 and 10017 are logged in the System log after you
install Windows SharePoint Services 3.0" at
http://go.microsoft.com/fwlink/?LinkId=128063."

I followed the link and followed the instructions, but didn't have
very high hopes since the link said I could safely ignore this error.

> b) run the "fix my network wizard"

I've done this several times. This is actually how I've been
regenerating the Cert Install package.

> If neither works, it will be question and answer time:

Yeah, afraid so. Here we go....

> a) what is the name you used on the certificate?

remote."mypublicdomain".com (obviously not "mypublicdomain")

> b) what is the URL you use to access RWW?

remote."mypublicdomain".com/remote Of course, while I'm on the same
subnet, I just type in 192.168.0.20/remote to access the RWW page.

> c) was this a migration, or a fresh (new domain) installation?

Brand new domain and server set up.

After running the BPA and fixing that 1 issue, I revoked the only Cert
in the CA management window in the "Issued Certificates" section.
Then I deleted the zip file and folder for the cert installation
package. The I ran the "Set Up You Internet Address" wizard to
generate a new cert. The cert was created and issued to
"remote.'mypublicdomain'.com" and was issued by "MYLOCALDOMAIN-
SERVERNAME-CA" and its serial # begins with 13 81 d3 28

Next I ran the "Fix My Network" wizard. It found only that the cert
install files were missing (actually it says they're out of date) and
then recreated the cert install files. When I open the cert in those
install files, both the issued to and issued by are the same. They
both say "MYLOCALDOMAIN-SERVERNAME-CA" and the serial # begins with 5c
1b 0b e3

So, it's an entirely different certificate being put in the cert
installation package... and I can't figure out why or from where it's
coming.

Thanks again for the reply.

Max.

>
> --
> Les Connor [SBS-MVP]
>
> ____________________________"Max C" <maxc...@gmail.com> wrote in message
>
> news:60a2bd4e-d959-4d11-b9b2-...
>
> >I just installed a new SBS 2008 server and was denied access to RWW...
> > citing a problem with the certificate. To make a very long story
> > short, I went into the CA management window and Revoked the 2
> > certificates there, deleted the Certificate Installation package and
> > went into the Internet Address Wizard and ran it again.
>
> > After running the wizard, I could see a new cert in the CA management
> > window, and could verify that it was, indeed, the cert being used by
> > the RWW website.
>
> > The problem is that the cert that was included in the Installation
> > Package I'm supposed to give out to the remote users isn't the same
> > cert I can see in the CA management window or the RWW web site. It
> > has a different name as well as a different serial number.
>
> > I know that the wizard isn't creating 2 different certs because the
> > cert in the installation package is dated yesterday. It probably the
> > 1st cert generated by the SBS 2008 installation. The question is,
> > where is that cert and how do I replace it? It's not listed in the CA
> > management window.
>
> > Thanks for any insights. I'm far from a cert pro, so feel free to
> > talk down to me.
>
> > Max.

On the server, when you look in users\public\public downloads\certificate
distribution package, do you see a cert called SBSCertificate?

And in the zip file, same named cert?

This cert is issued to and by domain-servername-CA, and works for me.

In my certification authority, I have 6 certs. I haven't manipulated
anything manually. I'd not recommend revoking anything, different certs are
used for different purposes.

--
Les Connor [SBS-MVP]


____________________________
"Max C" <> wrote in message
news:b972a284-5e12-4634-8397-...
Thanks for the reply, Les. Answers in line below.


> Try a couple of things;
>
> a) install and run the SBS 2008 BPA and see what it turns up.

I installed the Best Practices Analyzer and ran it. It found only 1
thing, which was:
"The Network Service is missing local activation permissions to the
IIS WAMREG admin Service in accordance with the event ID 10016 in the
system event log. For more information, see KB "Event ID error
messages 10016 and 10017 are logged in the System log after you
install Windows SharePoint Services 3.0" at
http://go.microsoft.com/fwlink/?LinkId=128063."

I followed the link and followed the instructions, but didn't have
very high hopes since the link said I could safely ignore this error.

> b) run the "fix my network wizard"

I've done this several times. This is actually how I've been
regenerating the Cert Install package.

> If neither works, it will be question and answer time:

Yeah, afraid so. Here we go....

> a) what is the name you used on the certificate?

remote."mypublicdomain".com (obviously not "mypublicdomain")

> b) what is the URL you use to access RWW?

remote."mypublicdomain".com/remote Of course, while I'm on the same
subnet, I just type in 192.168.0.20/remote to access the RWW page.

> c) was this a migration, or a fresh (new domain) installation?

Brand new domain and server set up.

After running the BPA and fixing that 1 issue, I revoked the only Cert
in the CA management window in the "Issued Certificates" section.
Then I deleted the zip file and folder for the cert installation
package. The I ran the "Set Up You Internet Address" wizard to
generate a new cert. The cert was created and issued to
"remote.'mypublicdomain'.com" and was issued by "MYLOCALDOMAIN-
SERVERNAME-CA" and its serial # begins with 13 81 d3 28

Next I ran the "Fix My Network" wizard. It found only that the cert
install files were missing (actually it says they're out of date) and
then recreated the cert install files. When I open the cert in those
install files, both the issued to and issued by are the same. They
both say "MYLOCALDOMAIN-SERVERNAME-CA" and the serial # begins with 5c
1b 0b e3

So, it's an entirely different certificate being put in the cert
installation package... and I can't figure out why or from where it's
coming.

Thanks again for the reply.

Max.

>
> --
> Les Connor [SBS-MVP]
>
> ____________________________"Max C" <maxc...@gmail.com> wrote in message
>
> news:60a2bd4e-d959-4d11-b9b2-...
>
> >I just installed a new SBS 2008 server and was denied access to RWW...
> > citing a problem with the certificate. To make a very long story
> > short, I went into the CA management window and Revoked the 2
> > certificates there, deleted the Certificate Installation package and
> > went into the Internet Address Wizard and ran it again.
>
> > After running the wizard, I could see a new cert in the CA management
> > window, and could verify that it was, indeed, the cert being used by
> > the RWW website.
>
> > The problem is that the cert that was included in the Installation
> > Package I'm supposed to give out to the remote users isn't the same
> > cert I can see in the CA management window or the RWW web site. It
> > has a different name as well as a different serial number.
>
> > I know that the wizard isn't creating 2 different certs because the
> > cert in the installation package is dated yesterday. It probably the
> > 1st cert generated by the SBS 2008 installation. The question is,
> > where is that cert and how do I replace it? It's not listed in the CA
> > management window.
>
> > Thanks for any insights. I'm far from a cert pro, so feel free to
> > talk down to me.
>
> > Max.