Re: Publishing Versus Mail for CSR on SBS 2003 Premium

Tech-Archive recommends: Speed Up your PC by fixing your registry

I have always exported the .cer file from a user workstation. Copy it to the root of the mobile device, navigate to the .cer file on the device. double tap the file and install it. Warning goes away.

--
Cris Hanna [SBS - MVP]
Co-Contributor, Windows Small Business Server 2008 Unleashed
http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
Owner, CPU Services, Belleville, IL
A Microsoft Registered Partner
------------------------------------
MVPs do not work for Microsoft
Please do not submit questions directly to me.


"thejamie" <thejamie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:DAFDA081-EC32-4A79-B75D-A220986F56F1@xxxxxxxxxxxxxxxx
Maybe there is still a bigger picture here...

I notice how one user solved the mobile device problem (can be fixed in the
following way:

Instead of exporting from \\server\clientapps\sbscert, use the client
machine and export the same cert from there as a DER X.509 to be imported by
the device (unsure why it would be different but it worked for this user).

More importantly I notice the ISAcert.cer on a default install (meaning, the
ISA 2004 was completely uninstalled, then reinstalled using all default
settings and rules created during a fresh install of ISA2004) is not in the
trusted root folder whereas sbscert.cer is and both are located at
\\server\clientapps\sbscert.

Both point to exactly the same certificate. I'm not entirely sure why there
are two names in the same folder for the same certificate and how ISA
interacts with one or the other or both. Was there something that happened
during the install of SBS three years ago that did not happen when ISA 2004
was reinstalled?

--
Regards,
Jamie


"Cris Hanna [SBS - MVP]" wrote:

> and what makes you think the self signed SSL cert can't be installed on the Mobile devices? I do it all the time.
>
> --
> Cris Hanna [SBS - MVP]
> Co-Contributor, Windows Small Business Server 2008 Unleashed
> http://www.amazon.com/Windows-Small-Business-Server-Unleashed/dp/0672329573/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1217269967&sr=8-1
> Owner, CPU Services, Belleville, IL
> A Microsoft Registered Partner
> ------------------------------------
> MVPs do not work for Microsoft
> Please do not submit questions directly to me.
>
>
> "thejamie" <thejamie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:0F56B707-43C2-4ED9-BBC9-71742AAB6A29@xxxxxxxxxxxxxxxx
> Trying to ready the site for access via cell phone.
> --
> Regards,
> Jamie
>
>
> "Larry Struckmeyer [SBS-MVP]" wrote:
>
> > Hi Jamie:
> >
> > What issues are you having with your self signed cert in SBS 2003 that
> > prompts the need for a third party one?
> >
> > With self signed certs, and SBS 2003, the name that goes in the CEICW is
> > whatever name is assigned by the ISP that controls your public DNS that
> > points to your public ip address. For ease of use, and so that you don't
> > have to bother the ISP, this is frequently, but not always,
> > "mail.yourdomain.com" *because* the isp has already created such a record.
> > But you could use "fubar.yourdomain.com" or even just your public ip address
> > if you want to remember all those numbers.
> >
> > Once you run the CEICW and put the chosen name in the wizard, all the
> > necessary SBS stuff is done auto magically for you.
> >
> > The same would be true with a third party cert if you use a name for which
> > the ISP creates a pointer to your public IP address.
> >
> > --
> > Larry
> > Please post the resolution to your
> > issue so that others may benefit.
> >
> >
> > "thejamie" <thejamie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> > news:7DDC7655-C62E-47F4-AB30-5DBF72A0BF37@xxxxxxxxxxxxxxxx
> > > After difficulty installing a third party certificate, I've rolled back to
> > > a
> > > default SBS 2003 / ISA 2004 (Premium) installation and revoked my original
> > > certificate. Before I try to create a new one, there are several
> > > questions,
> > > I feel I should answer before proceeding to create a second certificate
> > > for
> > > the site.
> > >
> > > Since the ISA rules are to follow a certain order, the first one that
> > > creates a denial is the stop that keeps the firewall from checking for
> > > further conditions. Based on this and the order of the rules, I presume
> > > that
> > > the non-Sharepoint - web pulishing rules (Outlook via Internet, OWA, SBS
> > > Monitoring, RWW, and OWA) will be the gateway into the exchange email from
> > > the internet. And these rules require a Public name that matches one
> > > given
> > > to the site by an upstream DNS server, so this is the real name that
> > > should
> > > be provided for the site certificate in order to properly resolve the name
> > > (at least, this is the lesson I believe I learned during my last fiasco).
> > >
> > > By default, the self-signed certificate is publishing.mydomain.com. In
> > > the
> > > explanation on
> > > http://blogs.technet.com/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx
> > > the CSR creation suggests that this be changed over to "mail" rather than
> > > "publishing"
> > >
> > > 1) Is this because the MX record which is public via the Network Solutions
> > > (or whoever runs the upstream DNS) creates this name for the site? I
> > > notice
> > > that my public record has only my IP address as a Host(A) record and the
> > > MX
> > > record is the only public name that contains my domain name.
> > >
> > > 2) When creating the CSR, it appears from the web site that both the HOST
> > > HEADER and the CERTIFICATE NAME use this convention - MAIL.MYDOMAIN.COM.
> > > When the CSR is viewed, it looks like the organization name is the
> > > information that goes into the Host Header although this is not explained.
> > > Looking more closely, the Organization Unit should likely also have this
> > > name
> > > or does the OU not matter so much on a CSR other than another element of
> > > the
> > > encryption used to create the certificate so technically, this can be
> > > anything I want it to be?
> > >
> > > 3) When the CSR goes to the CA, it returns a Request File Summary. It is
> > > the "Issued To" name that may or may not be important to how the public
> > > name
> > > is resolved, but more importantly, this is one of the part of how the name
> > > of
> > > resolved when the CA creates the certificate... this plus the Organization
> > > and the Organizational Unit are used to create the encryption certificate
> > > requiest (if I understand it correctly). From the information given on
> > > the
> > > technet blog above, the advice is to call the organization "Certificate",
> > > and
> > > the Organizational Unit "Creation". As this does not seem to pertain to
> > > the
> > > real world, perhaps this is the Certificate Name which will show when the
> > > certificate is returned from the CA as in Certificate.crt (assuming
> > > GoDaddy
> > > here)?
> > >
> > > 4) Since the Organization Unit name is called "Creation" in the example,
> > > the
> > > name probably doesn't matter here - so, to be more precise, should this
> > > name
> > > actually be MYCompany name (or in the case of a DBA - doing business as)
> > > possibly my given name?
> > >
> > > 5) Since the default configuration for SBS creates the Host (A) record in
> > > the DNS forward lookup zone on the local machine for the word "Publishing"
> > > and since in the example we use "mail" instead, and since the MX record is
> > > also "mail", is it necessary to create a forward lookup zone called "mail"
> > > or
> > > is this created by default somewhere in the magical bowels of SBS?
> > > --
> > > Regards,
> > > Jamie
> >
> >

Relevant Pages

  • Re: Active Sync Issues with Windows Mobile Devices
    ... Wndows Mobile devices are different for desktop OS's in that you can't "install" the cert via web browsing ... Navigate to the .cer file on the mobile device and then double tap it. ... Verizon wireless with a self signed certificate. ... The phones sync and can send/receive mail etc and seem to work fine. ...
    (microsoft.public.windows.server.sbs)
  • RE: Exchange ActiveSync to Wins Mobile 5 device - certificate issu
    ... If you have Exchange you must have AD installed. ... Once it is up and running you can download the CA's certificate ... client certificate installed on the mobile device which in turn can be used ... This will install the certificate to the ...
    (microsoft.public.pocketpc.activesync)
  • RE: Exchange ActiveSync to Wins Mobile 5 device - certificate issu
    ... Once it is up and running you can download the CA's certificate ... client certificate installed on the mobile device which in turn can be used ... addedd to the root cert. ... This will install the certificate to the ...
    (microsoft.public.pocketpc.activesync)
  • Re: SBS - connecting to mobile device help with certificate needed
    ... mobile device but can not get Exchange to sync. ... needs a signed certificate - I exported one across to the root area ... tell me if I need a personal certificate - and if so how do I exprt ... tap/launch the .cer file and accept the prompt/warning ...
    (microsoft.public.windows.server.sbs)
  • Re: Invalid SSL certificate on Exchange Server
    ... It is a certificate from Comodo, ... On the Exchange server is and SSL certificate installed. ... Godaddy, whatnot) and install it, or you'll need to export your SSL ... Copy the .cer file to your mobile device. ...
    (microsoft.public.exchange.connectivity)