Tuesday, 2 June 2015

123-reg auto renew SSL .crt certificate won't load in ISA Server, no key, can't export .pfx

We've got an Exchange Server 2003 as part of an SBS 2003 setup, just hanging in on its last couple of months before it gets upgraded - just before the July 2015 sunset on security updates. You best contact redleg.net if you haven't planned upgrading from Server 2003 yet.


The replacement Alpha SSL certificate came as a plain text email, to save as a .crt file and import. Loaded the MMC, added the Certificates option to manage the Local Computer certificate store, and easily imported into the Personal section. From there, head to IIS Manager > Default Website > Properties > Directory Security > Server Certificate and change to the updated certificate.

Easy enough, however on the SBS 2003 Premium, running ISA server as the firewall, you also need to update the certificate in the ISA Outlook web publishing rule too. Right-lick on the rule > Properties > Listener > Properties > Preferences > SSL > Select

But the new certificate doesn't appear on the list. Thats because it needs to be in PFX format, which also includes the private key. This comes from the original certificate request. If you try and export that certificate in PFX format its greyed out, because the private key is missing. There's a quick and easy way to fix the certificate, which doesn't involve exporting or trying to recombine the certificate and key with openssl (yes tried all that!)

Look at the new certificate details and find the serial number - should eb something like a 36 character hex number. Now start a CMD prompt and use the command
   certutil -repairstore my "serialno"

Then go back to ISA to change the certificate attached to the web publishing rule listener and your new certificate should be on the list.

(I also did a restart of IIS Admin service - not sure whether that was required or not - let me know in the comments below)

1 comment:

Techno Nath said...

Thank you, this step was really helpful when I needed my 123reg wildcard certificate to work in iis.

Trust 1&1 Internet for your domain name registration, from only £1.99/year!. Check now!