RE: Getting rid of a rogue SSl certificate

Tech-Archive recommends: Fix windows errors by optimizing your registry

Godfrey,
>From what you have told me you only have a single IP bound to your external
nic, that's good, in my case I have 6 IP's and you must configure ISA
accordingly.

First, make sure you have not installed the cerificate as a personal cert on
the SBS browser, to check it go to internet prop. Content, certificates.
Remove it from the list if it's there.
Now open the ISA mmc on your SBS and go to "servers and arrays" and rt.
click on your server name, select prop. Click on the "Incoming Web Request"
tab. Select
"configiure listeners individually perIP...", if your external IP does not
show, click add and find the external IP of the SBS, put a check in "use
server certificate...", it should default to the cert. store and should list
all certificates you have created, use the most recent cert. created when you
ran the CIECW. You will also need to select "Integrated Authentication".
Click OK and OK, the service will need to restart. If you're familiar with
ISA, do not mess with the Web Publishing rules. The default action is to
redirect incomming requests to, "publishing.YourInternalDomainName.local".
If this does not remove the bogus cert. let me know. Also, attempt to
connect to remote workplace from another location to be sure the cert being
passed is the same. Another note, are you running a website (other than,
SharePoint, OWA or CompanyWeb)??
I am asking to determine how far from the default install of SBS you are.

Let me know.
Paul

"Godfrey Nicholson" wrote:

> Hello Paul:
>
> Thanks for your response; here are my answers:
>
> (i) I am running ISA 2000 (SBS23003 premium with everything installed and
> running)
> (ii) Multiple IPs?? I am not sure what you are asking.I have a public static
> IP which is automatically attached to the external side of my router (Do you
> want to know more?)
> (iii) Yes, the CEICW wizard is run whenever anything is changed, as is the
> Remote Access Wizard I haven't recreated the certificates for, perhaps, a
> week now. I also have a commercial certificate but I am not able to attach
> that using the CEICW wizard or by attaching directly through the IIS
> Directory Security tab. (The self-signed certificates used to work (like at
> the beginning pf the year) but I can't figure anything significant that has
> happened since then, appart from security updates!!
>
> I would be so grateful for any suggestions you can make.
>
> Godfrey
>
> "Paul Campanale" wrote:
>
> > Godfrey,
> > I was perusing the forum and noticed your post. I have seen this issue
> > before on a SBS 2003. I need to know the following: Are you running ISA
> > 2000? Have you configured multiple IP’s on the external interface? Have you
> > tried to run the “connect to the Internet” wizard on your SBS Tools? If so,
> > you should have been asked to recreate the cert., did you?
> > Remember that ISA caches the cert. for both internal and external users and
> > depending on how your external interface is configured will determine which
> > cert. is used when outside users attempt an SSL connection to your remote
> > workplace or OWA.
> > I have also read several threads off other forums that prove how ISA
> > corrupts the cert. when it attempts to hash the packet.
> > Answer the above and I’ll give you my suggestions.
> > Paul
> >
> > "Godfrey Nicholson" wrote:
> >
> > > Charles:
> > >
> > > Thank you for your persistence
> > >
> > > I thought it might be helpful if I tried to clarify where I am at with
> > > trying to get https://mydomain/remote access working on SBS2003 Premium.
> > > (1) When I try to connect remotely using this approach, I get the Security
> > > Alert that says "The name on the security certificate does not match the name
> > > on the site."
> > > (2) If I click on View Certificate I see a certificate:
> > > (i) This certificate is authentic.
> > > (ii) It is issued by an authentic authority and issued to a legitimate
> > > web site
> > > (iii) I have had nothing to do with either of these entities
> > > (iv) there is no certificate anywhere on my server that corresponds to
> > > what I see. I have searched *.cer to look for such a certificate
> > > (v) None of the IIS DIrectory Security tabs show the certificate.
> > > (vi) I can enter a certificate in the IIS Directory Security tabs but
> > > this other certificate blocks https:// access.
> > > (vii) I have referred to this other certificate as a "rogue"; I could
> > > have used other words like "unknown", "orphan", "stray", "ghost", ...
> > > (viii) This other certificate does not appear in the mmc certificates
> > > snap in
> > > (ix) It does not appear in IE
> > > (x) There is therefore no way I can replace it with a certificate of my
> > > choice.
> > > (3) I have uninstalled and reinstalled IIS using the instructions of the
> > > link you sent me. This process took about three hours but no problems/errors
> > > occured.
> > > (4) I have a question: If what I am seeing is a compiled/embedded image that
> > > is cut off from its originating object, where would this most likely be
> > > found? Is it associated with IE or with IIS or with WSS or something else?
> > > (5) Unless you have a better idea, or some new information, it looks as
> > > though I will need to reinstall SBS2003! (Please tell me there is a better
> > > way to solve this!!)
> > >
> > > Godfrey
> > >
> > >
> > >
> > >
> > > ""Charles Yang [MSFT]"" wrote:
> > >
> > > > Hi Godfrey,
> > > >
> > > > Thanks for updates.
> > > >
> > > > I am sorry for not make the things so clear.
> > > >
> > > > Now let us described it more clear, you can search in the metabase.xml for
> > > > the SSLCertHash, you will find two of these in this files, one was located
> > > > in /lm/w3svc/1 and the other is located in /lm/w3svc/4, then you can
> > > > replace the one on /lm/w3svc/4 with the one you copied from the /lm/w3svc/1
> > > > then saved the files as a test.
> > > >
> > > > I appreciate your understanding on this issue. I am here waiting for your
> > > > updates.
> > > >
> > > > Best regards,
> > > >
> > > > Charles Yang (MSFT)
> > > >
> > > > Microsoft CSS Online Newsgroup Support
> > > >
> > > > Get Secure! - www.microsoft.com/security
> > > >
> > > > =====================================================
> > > > When responding to posts, please "Reply to Group" via your newsreader so
> > > > that others may learn and benefit from your issue.
> > > > =====================================================
> > > >
> > > > This posting is provided "AS IS" with no warranties, and confers no rights.
> > > >
> > > >
.

Relevant Pages