Sponsors


Download TeamViewer QuickSupportDownload TeamViewer

Adobe Creative Suite 5 (CS5) Family
IDrive Online Backup


Once You Know, You Newegg









Acronis Enterprise

AVG Internet Security - Tough on threats.









TigerDirect

Windows Vista Memory





Official PayPal Seal

You are hereExpired Self-signed SSL Causes Client Grief

Expired Self-signed SSL Causes Client Grief

By steve - Posted on 17 January 2008

I have a client that uses a self-signed certificate to allow SSL communications via "Outlook Web Access" (OWA), https exchange transfer, and a web folder (WEBDAV). They are their own CA (certificate authority) and generated their own certificate for the web server. When the server certificate, which is only good for 2 years, expired, these applications stopped working.

I was working to fix it and was just looking around at my options when I "accidentally" renewed the CA certificate. This was due to expire in 2036, but was now due to expire in 2038. This seems to have lead to not only the users' applications not working, but prevented much debugging information from showing up.

The clients don't really get much of an error other than "operation failed" or a dns error in the browser. If you hit refresh after the dns/connection error, you'll see the ssl lock shows up in the browser and the IE flag starts spinning, but Internet Explorer (IE) seems to hang and nothing happens. No error message appears.

It took quite awhile of messing around to finally figure out a solution.

First of all...

What I should have done was just renew the SERVER certificate by going into the mmc for IIS's settings to the "default website" (in my case), then clicking on Properties, Directory Security, Server Certificate, and Renew Certificate. That would have done it. The wizard talks to the local certificate authority and takes care of everything. That would probably had made everything work right then.

However, because I was clicking around in http://localhost/certreq, I accidentally renewed the CA certificate and messed everything up.

First, I renewed the server certificate (per the above) with the new CA so that I solved my original problem and have a new 2010 expiration date on that one.

For the remote computers, the solution was then pretty easy. First, I went into http://localhost/certsrv and exported a new CA certificate file (chained) with the new expiration date. Then I copy that certificate to the remote machine and install it (right click, install certificate) taking the default to let the system figure out where to install it.

After that, everything worked fine. For clarity, I removed the old CA certificate on the remote computer, but it works OK if you don't.

Tags

Comments

Did this help you? You can help me!


Did you find this information helpful? You can help me back by linking to this page, purchasing from my sponsors, or posting a comment!


+One me on Google:


Follow me on twitter: http://twitter.com/mojocode







100 Secrets

--- Table of Contents ---

Introduction - 100 Secre...
Pick Up the Parking Lot
The Golden Rule: Variati...
Carpe Diem
The Power of the List
Use Open Source
Make Your Mistakes Faste...
AFAS: Ask First, Answer...
Failures, Mistakes, and...
Paranoia is a Very Good...
Tech Support and You
Be Worth Talking To
10 Common IT Job Applica...
Hire Talented People
Leadership Vision
Have the Appropriate Lev...
Reconciling "Make M...
On Being Efficient or Ef...
Are you a Pro or a Joe?
Ethics, Shmethics
Are you doing a Project...
Want to be Relevant? Tra...
Ship it!
Yeah, That's the Ti...
Learn it, Know it, Show...
10 Travel Survival Tips...
What is Your Job?
Make It Worthwhile
When Should You Re-inven...
Dare to Have a Written S...
10 Elements of Minion Ma...
Are You the Soup or the...

Affiliation Badges




Official PayPal Seal