Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

// // <![CDATA[
try { jQuery.telligent.evolution.site.configure({baseUrl:'/',monthNames:['Jan','Feb','Mar','Apr','May','Jun','Jul','Aug','Sep','Oct','Nov','Dec'],dayNames:['Sun','Mon','Tue','Wed','Thu','Fri','Sat'],authorizationCookieName:'AuthorizationCookie',defaultErrorMessage:'An error occurred. Please try again or contact your administrator.',defaultMultiErrorMessagePrefix:'The following errors occurred: ',silverlightFileUploadEnabled:true});
jQuery.extend($.fn.evolutionUserFileTextBox.defaults,{removeText:'Remove',selectText:'Select/Upload…',noFileText:'No File Selected'});
jQuery.telligent.evolution.navigationConfirmation.configure({message:'==============================rnUnless you save before leaving this page, you will lose any changes you have made.rn=============================='});
jQuery.telligent.evolution.validation.registerExtensions({passwordInvalidMessage:'Password contains invalid chars …',passwordRegex:'^.*$',emailInvalidMessage:'Your email address is invalid.',emailRegex:'^\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*$',usernameInvalidMessage:'Your sign in name does not meet the requirements for this site.',usernameRegex:'^[a-zA-Z0-9_\- @\.]+$',emailsInvalidMessage:'One or more emails is invalid',urlInvalidMessage:'URL not in correct format',urlRegex:'^((http|https|mailto|mms):|/|#|~/)'});
jQuery.extend(jQuery.fn.evolutionLike.defaults,{likeText:'Like',unlikeText:'Unlike',modalTitleText:'People who like this',modalShowMoreText:'Show More',whoLikesOtherText:'{user_display_name} likes this’,whoLikesOtherTwoText:’{user_display_name} and 1 other like this’,whoLikesOtherMultipleText:’{user_display_name} and {count} others like this’,whoLikesAccessingText:’You like this’,whoLikesAccessingTwoText:’You and 1 other like this’,whoLikesAccessingMultipleText:’You and {count} others like this’});
jQuery.extend(jQuery.fn.evolutionInlineTagEditor.defaults,{editButtonText:’Edit tags’,selectTagsText:’Select tags’,saveTagsText:’Save’,cancelText:’Cancel’});
jQuery.extend(jQuery.fn.evolutionStarRating.defaults,{titles:[‘Terrible’,’Poor’,’Fair’,’Average’,’Good’,’Excellent’],ratingMessageFormat:’Average rating: {rating} out of {count} ratings.’});
jQuery.extend(jQuery.fn.evolutionModerate.defaults,{moderateLinkText:’moderate’,reportLinkText:’Flag as spam/abuse’,reportedLinkText:’Flagged as spam/abuse’,reportedNotificationMessageText:'{NAME}’s post has been flagged. Thank you for your feedback.’});
} catch(e) { };
// ]]>// // // //
Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One – Windows PKI blog – Site Home – TechNet Blogs

Decommissioning an Old Certification Authority without affecting Previously Issued Certificates and then Switching Operations to a New One

Jonathan Stephens posted an excellent Blog about this topic; however, it didn’t include the steps. As a result, I decided to type this Blog detailing the steps required. The following assumptions have to be met before proceeding with these steps:

1- There is a new valid Certification Authority configured

2- There is a new distribution point configured for AIA and CDP locations named http://crl.contoso.com/CertData

Steps:

1- Logon to the old Enterprise Certification Authority as an Enterprise Administrator.

2- Identify the AIA and CDP distribution points

  1. a. Open the Certification Authority Console
  2. b. Right click the Certification Authority name and click Properties
  3. c. Click the “Extensions” tab
  4. d. Document the distribution points configured for CRL Distribution Point (CDP) – as an example http://<serverDNSnname>/CertEnroll/<CANAME>CRLNameSuffix><DeltaCRLAllowed&gt;.crl which refers to local IIS installed on the server, or http://pki.contoso.com/Certenroll/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

Note: Ignore the LDAP and C:%windir% locations

  1. e. In the “Extensions” tab, select Authority Information Access (AIA) from the drop down menu
  2. f.  Document the distribution points configured for the AIA extensions – as an example http://<ServerDNSName>/Certenroll/<ServerDNSName>_<CAName><CertificateName&gt;.crt  which refers to the local IIS installed on the server or http://pki.contoso.com/Certenroll/<ServerDNSName>_<CAName><CertificateName>.crt

Note: Ignore the LDAP and C:%windir% locations

3- Disable Delta CRL and Issue a long Certificate Revocation List (CRL)

  1. a. Open the Certification Authority Console
  2. b. Right click “Revoked Certificates”, and then click “Properties”
  3. c. Uncheck “Publish Delta CRL”
  4. d. Change the “CRL publication Interval” to 99 years and then click OK
  5. e. Open the command line with elevated privileges
  6. f.  Run Certutil –crl  to issue a new Certificate Revocation List (CRL)

4- Copy the old Certification Authority’s certificate (CRT) and certificate revocation list (CRL) files to the server hosting website http://crl.contoso.com/CertData

  1. a. On the old Certification Authority, navigate to %windir%System32CertSrvCertEnroll
  2. b. Copy the Certification Authority’s certificate (CRT) and certificate revocation list (CRL) to the directory hosting http://crl.contoso.com/CertData

5- Redirect the Authority Information Access (AIA) and Certificate Revocation List (CRL) distribution points  of the old Certification Authority to http://crl.contoso.com/certdata

  1. a. This can be done using an IIS redirect, or a DNS CNAME redirect to redirect Authority information Access (AIA) and Certificate Revocation List (CRL) of the old Certification Authority documented in steps 2.d and 2.f to the new web server http://crl.contoso.com/certdata

6- Document and remove all  certificate templates available on the old Certification Authority to prevent it from issuing new certificates

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil –catemplates > c:catemplates.txt  to document all available certificate templates at the old Certification Authority
  3. c. Launch the Certification Authority console
  4. d. Navigate to “Certificate Templates”
  5. e. Highlight all templates in the right pane, right click and then click “Delete”

At this point, the old Certification Authority can’t issue any certificates, and has all of its Authority Information Access (AIA) and Certificate Revocation List (CRL) redirected to a new web site http://crl.contoso.com/CertData The next steps will detail how to document the certificates issued by templates from the old Certification Authority and how to make them available at the new Certification Authority.

7- Identify and document the certificates issued based on certificate templates by sorting the Certification Authority database

  1. a. Highlight “Issued Certificates”
  2. b. Navigate to the right, and sort by “Certificate Templates”
  3. c. Identify the certificates issued by default certificate template types
  4. d. Identify the certificates issued by custom certificate templates – any template other than the default certificate templates mentioned earlier

8- Dump the certificates based on the default certificate template types:

  1. a. Open the command line with elevated privileges
  2. b. Run Certutil -view -restrict “Certificate Template=Template” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c:TemplateType.txt
  3. c. Examine the output of c:TemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as Web SSL.
  4. d. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: Replace Template with the correct template name.

9- Dump the certificates based on the custom certificate template types:

  1. a. Open the Certification Authority Console
  2. b. Right click “Certificate Templates” and click “Manage”
  3. c. Double click the certificate template and click on “Extensions” tab
  4. d. Click on “Certificate Template Information”
  5. e. Copy the Object Identifier (OID) number – the number will look similar to 1.3.6.1.4.1.311.21.8.12531710.13924440.6111642.16676639.10714343.69.16212521.10022553
  6. f. Open the command line with elevated privileges
  7. g. Run Certutil -view -restrict “Certificate Template=OIDNumber” -out “SerialNumber,NotAfter,DistinguishedName,CommonName” > c:CustomTemplateType.txt

Note: Replace OIDNumber with the number identified in step 9.e

  1. h. Examine the output of c:CustomTemplateType.txt and document all the certificates needing immediate action – i.e. requiring issuance from the new CA infrastructure if needed such as custom SSL certificates.
  2. i. Consult with the application administrator using the certificates to determine the best approach to replace the certificates if needed

Note: You don’t need to take any action if the certificate was auto-enrolled because the certificate holder will renew the certificate when it expires from the new CA infrastructure.

10- Enable the Certificate Templates needed based on the results of steps 7-9 on the new Certification Authority

  1. a. Logon to the new Certification Authority as an Enterprise Administrator
  2. b. Right Click “Certificate Templates”, click “New” and then click “Certificate Template to Issue”
  3. c. Choose all the certificate templates needed in the “Enable Certificate Templates” window and click “OK”

11- <Optional> At this point you can uninstall the Certification Authority Role on the old Certification Authority

  1. a. Backup the old Certification Authority using the steps outlined in Disaster Recovery Procedures for Active Directory Certificate Services (ADCS)
  2. b. Uninstall Certificate Services from the old Certification Authority
  3. c. Decommission the server unless it is running other applications

12- Once all certificates are issued by the new infrastructure, you can safely remove all the Authority Information Access (AIA) and Certificate Revocation List (CRL) files from you infrastructure by following the steps in How to Decommission a Windows Enterprise Certification Authority and How to Remove All Related Objects and from the web server hosting http://crl.contoso.com

Amer F. Kamal

Senior Premier Field Engineer

Exchange 2010 Certificate errors

Exchange 2010 Certificate cant complete pending request

Open certificate store (certmgr.msc) – if you have tried to complete the pending certificate request then you should find the certificate from you CA is installed but doesn’t have an association with the private key generated by the request (hence the request is still considered to be pending). Open the the certificate from the CA and on the details tab find the thumbprint field and copy it to your clipboard (CTRL-C).

Now run the following command from a command prompt:
certutil -repairstore My “<thumbprint>”

Refresh your view of the certificate store and hopefully your cert is now associated with its private key! Likewise Exchange will now list the certificate and allow you to assign services to it.

Error message when Outlook tries to connect to a server by using an RPC connection or an HTTPS connection: “There is a problem with the proxy server’s security certificate”

Launching Outlook returns one of the following messages.

  • There is a problem with the proxy server’s security certificate, %s. Outlook is unable to connect to this server. (%s)
  • There is a problem with the proxy server’s security certificate, %s. The name on the security certificate is invalid or does not match the name of the site. Outlook is unable to connect to this server. (%s)
  • There is a problem with the proxy server’s security certificate, %s. The security certificate is not from a trusted certifying authority. Outlook is unabletoconnect tothis server.(%s)”
  • There is a problem with the proxy server’s security certificate. The name on the security certificate is invalid or does not match the name of the target site outlook.office365.com. Outlook is unable to connect to the proxy server (Error Code 0)

Refer to the following Microsoft KB article

KB923575

The articles resolution is directly from the KB article from Microsoft.

Method 1: Examine the certificate

Use this method if you receive either error message 1 or error message 2. Examine the certificate. Then, contact your system administrator to resolve this issue.

To examine the certificate, follow these steps:

  1. In Microsoft Internet Explorer, connect to the RPC server or to the secure server. For example, type https://www.server_name.com/rpc in the Address bar of the Web browser, and then press ENTER.

    Note The server_name placeholder references the RPC server name or the secure server name.

  2. Double-click the padlock icon that is located in the lower-right corner of the Web browser.
  3. Click the Details tab.
  4. Note the information in the following fields:
    • Valid to
      The Valid to field indicates the date until which the certificate is valid.
    • Subject
      The data in the Subject field should match the site name.

Method 2: Install the trusted root certificate

Use this method if you receive error message 3. To install the trusted root certificate, follow these steps:

  1. Click Install Certificate when you are prompted with the Certificate dialog box.
  2. Click Next.
  3. Click to select the Place all certificate in the following store check box.
  4. Click Browse.
  5. Click Trusted Root Certification Authorities, and then click OK.
  6. Click Next.
  7. Click Finish.
  8. Click OK.

Method 3: Disable the third-party add-in or the third-party browser add-in

Use this method to disable the third-party add-in or third-party browser add-in if you receive error message 4.

Disable third-party add-ins

  1. Start Outlook in safe mode to help isolate the issue. To do this, click Start, click Run, type outlook.exe /safe, and then click OK.

    If Outlook successfully starts in safe mode, the issue that you’re experiencing may be caused by a third-party add-in.

  2. Check for third-party COM add-ins and disable them. To do this, follow these steps:
  1. On the File menu, click Options, and then click Add-Ins.
  2. In the Manage box, click COM Add-ins, and then click Go.
  3. Click to clear the check box next to the third-party add-ins that you want to disable.
  4. Restart Outlook.

For more info, see the “Step 6: Start Outlook in safe mode” section of the following Microsoft Knowledge Base article:

2632425

(http://support.microsoft.com/kb/2632425)

How to troubleshoot crashes in Outlook 2010 and Outlook 2013

Disable third-party browser add-ins

Outlook uses Internet Explorer settings for HTTP requests. If a third-party browser add-in is causing this issue, disable it in Internet Explorer. For steps on how to do this, see the “Disable add-ons in Internet Explorer” section of the following Microsoft Knowledge Base article:

956196

(https://support.microsoft.com/kb/956196/ )

“Internet Explorer cannot display the webpage” error

Exchange 2010 – The certificate is invalid for Exchange Server usage

Source: Did You Restart Blog repost

After attempting to open OWA I received a lovely message about the certificate being invalid today.  Huh?  That can’t be right.  Unfortunately we don’t utilize OWA very often, so the error had gone unnoticed for a long period of time.

First things first, look at the cert.

  • Certificate path is fine
  • Still within the valid date timeframe
  • SAN cert and all the DNS names look fine
  • As far as the certificates MMC all is swell.

But Exchange still shows “The certificate is invalid for Exchange Server usage”
After some browsing on the old google I find lots about this when the cert path is wrong.  So I play around with the intermediate / roots, but feel pretty confident that it’s correct (and the cert is showing the path valid).

Finally, I assign the Exchange roles to the self signed cert, delete the third party cert, and reimport it.  Same error, but now I of course can’t assign the roles back to it because it’s invalid.  So, of course after a few minutes people get a popup about the self signed cert.  Doh.  No problem though.  We can force that with the shell.

  • Get-ExchangeCertificate | fl
  • Find the cert wanted and get it’s Thumbprint
  • Enable-ExchangeCertificate -Thumbprint [thumbprintfromabove] -Services “SMTP,IIS”  (we don’t use POP or IMAP)

Okay, at least now we’re back where we had been, but what’s going on.

Opening up the shell I do a Get-ExchangeCertificate -Thumbprint thumbprint## | fl.  It shows a RootCAType of unknown.  Eh?  That’s definitely not right.

I pull up https://www.digicert.com/help/ and do a cert check.  Uhm, pretty sure it shouldn’t say “SSL Certificate is revoked”.  Yikes!

After some more head scratching I recall that with the latest project that I’m working with in my off hours (Exchange 2013) I had rekeyed the cert.  Of course when I rekeyed the cert I did import the new cert onto the old Exchange 2010 box, so that shouldn’t be the issue.

So, I look at the new Exchange 2013 box cert and compare it’s Serial Number to the one on the Exchange 2010.  They should be the same, but what the heck they are not!  Somewhere in the process I messed up the import into the 2010 box. (and I know I did the import, I logged it in our tickets with the steps)

Export the cert again from Exchange 2013, quick import into 2010, reassign the roles and all is happy!

So:

  1. Exchange doesn’t specifically complain that the cert is revoked.  It just states it’s invalid.
  2. If I had paid more attention to the OWA error I would have seen that it specifically said “The organizations certificate has been revoked” and it was correct.
  3. The certificates snap-in mmc doesn’t, as far as I can tell, show when a cert has been revoked.
  4. Certificates can be dang confusing, double check that you’ve got the right one (serial number seems to be a good way).