none
Certificate install

    Question

  • Hi,

    Bit of an unusual question as I have been forced to deploy Public certs from Entrust  within my internal OCS2007 R2 deployment due to an internal PKI project being delayed.

    I successfully receive a Public cert from EnTrust and cut & paste the details into an OCS.cer file via Notepad, but when I run through the Cert Wizard to 'Process an offline certificate request and import the certificate' within OCS I get the following error..

    Cert Wizard Completed with Failures

    Certificate Wizard could not find the private key for this certificate.

    This can happen if you have already imported this certificate on this machine.

    Restart the Wizard and make a new certificate request.

    This error was on a new OCS2007R2 Ent Edtn server running on Win2K3R2

    Thanks in advance...

     

     

    Friday, March 26, 2010 2:32 PM

Answers

  • Mike.

    You should see a certificate with the name Entrust.net Certification Autority (2048) with an expiration of 7/24/2029 in your Trusted Root Certificate Authority store, this is trusted by default in Windows Server 2008.  Were you able to find this CA cert either in your store or online at entrust.net?

    Mark


    Mark King | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com
    • Marked as answer by MikeWarren Tuesday, March 30, 2010 7:11 AM
    Monday, March 29, 2010 10:55 PM
  • Hi Mark,

    Entrust.net CA 2048 did not exist so I requested it. I'm currently installing on a W2K3R2 O/S. Chomping at the bit to get installing on W2K8R2!!

    Thanks for all your asistance, very much appreciated.

    Regards

    • Marked as answer by Ben-Shun Zhu Wednesday, May 12, 2010 1:49 AM
    Tuesday, March 30, 2010 7:11 AM
  • I was having similar issues and I found 2 steps that resolved the problem.

    1. Moving the L1C certificate to the Intermediate Certificate Authorities
    2. ran certutil -repairstore my "<cert serial number>"

    Thanks for the help.

     

    • Marked as answer by Ben-Shun Zhu Wednesday, May 12, 2010 1:49 AM
    Tuesday, May 11, 2010 4:09 PM

All replies

  • Did you generate the cert request on the same server you are attempting to complete the offline request on? 

    You must follow this process for obtaining a 3rd party certificate for OCS:

    1. Run through the cert wizard on ServerA and generate the certificate request file

    2. Send the cert request to a trusted 3rd party CA

    3. Acquire the cert from the 3rd party CA

    4. Run through the cert wizard on ServerA and "process offline cert request and import the certificate" 

    After this is completed the private key will be completed.  The important part is that it must be generated and request completed on the same server

    Mark


    Mark King | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com
    Friday, March 26, 2010 2:54 PM
  • Hi Mark, thanks for the swift reply :)

    I can confirm that the Cert Wizard request was run on Server A and run again on Server A to process the offline cert.

    I think the error is realted to EnTrusts method for supplying certs.. the steps I am following to obtain the certs and deploy in OCS2007R2 is as follows...

    Copy your issued certificate from the browser and save it in Notepad as OCScert.cer.

    2. On the server, click Start > Programs > Administrative Tools > Office Communications Server 2007.

    3. Expand the snap-in until you find the Enterprise Edition Server.

    4. Right-click the Office Communications Server where the CSR was generated previously, and click Certificates.

    5. Click Next.

    6. Select Process the pending request and install the certificate.

    7. Point the wizard to your OCScert.cer file and complete the wizard (Wizard completes with failure message as previously posted)


    To install the Entrust L1C cross certificate on your server

    1. Click Start > Run.

    2. Type MMC and hit Enter.

    3. Click File > Add/Remove Snap-in.

    4. Click Add.

    5. Select Certificates and click Add.
    A wizard opens.

    6. Select Computer Account and click Next.

    7. Select Local Computer and click Finish.

    8. Click Close.

    9. Click OK.

    10. Expand Certificates on the left-hand side of the console window.

    11. Right-click on the intermediate Certificate Authority and under all tasks, select Import.

    12. Point the wizard to the L1C Chain certificate file and complete.

    13. Restart your IIS service by running an IISReset command in a regular command prompt window.

    I have completed the above steps without success as the OCS Cert Wizard completes with failures..

    Friday, March 26, 2010 3:08 PM
  • I have used entrust certs several times with the exact same process, I usually import the L1C first but that should not matter. 

    Does the cert successfully import?  If not, try to import the cert into the certificates mmc for the local computer:

    1. Start -- Run -- mmc

    2. File - Add/Remove Snap-in

    3. Select Certificates click add -- select computer account -- local computer, click OK then finish

    4. Expand Certificates (Local Computer) -- Personal -- Certificates

    5. Right Click Certificates under Personal -- all tasks -- select Import

    6. Select Next - Browse to the file location of the cer file you saved from entrust and click next

    7. Allow private key to be exported, enter password and click next then finish.

    8. Now Run the OCS certificate wizard and select existing certificate -- select the cert we just imported

    Let me know if this works.

     


    Mark King | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com
    Friday, March 26, 2010 3:32 PM
  • Hi Mark,

    Thanks for your post..

    The Cert says it successfully imports however when I ran through steps 1 -> 8 above the OCS certificate wizard fails..

    Certificate Wizard Failed to save the supplied settings. Please retry the operation. One or more assignment operations failed. Please use the Snap-in to correct errors.

     

     

    Monday, March 29, 2010 7:43 AM
  • "Managing Certification Authority Certificates for OCS",

    Would you please check the article and the steps show how to import certificate might be helpful.

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=72


    Best Regards!
    • Marked as answer by MikeWarren Monday, March 29, 2010 10:08 AM
    • Unmarked as answer by MikeWarren Monday, March 29, 2010 10:42 AM
    Monday, March 29, 2010 9:32 AM
  • Hi Ben,

    Thanks for the post.. The articles a little confusing as I am using Public certs for an internal deployment due to the PKI project being delayed. When I right click on the Public cert I get a General  and Cross_Certificates Tab.

    The OCS install is deployed in a Single Forest with Parent & Child Domains. The OCS Servers are installed in the Child Domain with SIP address set to Parent domain to reflect email address.

    Regards..

    Monday, March 29, 2010 10:12 AM
  • Mike.

    I think the issue might be the 3rd party certificate authority might be issuing your certificate with an intermediate (or cross) certificate authority.  The CA certificate needs to be in the list of your trusted root CAs with the cross or intermediate loaded into the server's intermediate CA store. 

    If you need help with this let me know.

    Mark


    Mark King | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com
    Monday, March 29, 2010 12:32 PM
  • Thanks for the reply Mark ,

    I have checked my Cert Store on Local Computer and have the OCSCert located in the trusted root with the EnTrust Cross Cert located in the severs intermediate CA store.

    When I check the properties of OCSCert within Certificate Manager..

    Certificate Information

    Windows Does not have enough information to verify this certificate...

    Issued to.. pool01.<subdom>.<parent>.com

    issued by Entrust..

    valid from 26/03/2010 to...

    You have a private key that corresponds to this certificate

     

     

    If I click on the Certification Path Tab

    Entrust Cert Auth - L1C - "The issuer of this certificate could not be found"

    -----> <ServerName> - This certificate is ok

     

    Thanks for your asistance..

    Regards

     

     

    Monday, March 29, 2010 1:21 PM
  • Mike.

    The certificate issueed to pool.subdomain.domain.com should be located in the "Personal" store of the local computer.  The Entrust L1C certificate should be located in the Intermediate Certificate Authoritites store and the Entrust CA Cert should be located in the Trusted Root Certificate Authority store.  You can drag and drop the certs to where they belong.  Once this issue is resolved and the certificate shows as valid you will be all set.

    Mark


    Mark King | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com
    • Proposed as answer by David.Turner Tuesday, May 11, 2010 4:09 PM
    Monday, March 29, 2010 2:04 PM
  • Thanks Mark,

    Pool.subdomain.domain.com is located in the "Personal" store of the local computer, Entrust L1C Cert is located in the Intermediate Cert Authorities Store. I'm missing an EnTrust CA Cert in the Trusted Root CA Store.

    Regards

    Mike

    Monday, March 29, 2010 2:40 PM
  • Mike.

    You should see a certificate with the name Entrust.net Certification Autority (2048) with an expiration of 7/24/2029 in your Trusted Root Certificate Authority store, this is trusted by default in Windows Server 2008.  Were you able to find this CA cert either in your store or online at entrust.net?

    Mark


    Mark King | MCTS:OCS | MCSE: Messaging | MCITP:Enterprise Messaging | CCNA | www.unplugthepbx.com
    • Marked as answer by MikeWarren Tuesday, March 30, 2010 7:11 AM
    Monday, March 29, 2010 10:55 PM
  • Hi Mark,

    Entrust.net CA 2048 did not exist so I requested it. I'm currently installing on a W2K3R2 O/S. Chomping at the bit to get installing on W2K8R2!!

    Thanks for all your asistance, very much appreciated.

    Regards

    • Marked as answer by Ben-Shun Zhu Wednesday, May 12, 2010 1:49 AM
    Tuesday, March 30, 2010 7:11 AM
  • I was having similar issues and I found 2 steps that resolved the problem.

    1. Moving the L1C certificate to the Intermediate Certificate Authorities
    2. ran certutil -repairstore my "<cert serial number>"

    Thanks for the help.

     

    • Marked as answer by Ben-Shun Zhu Wednesday, May 12, 2010 1:49 AM
    Tuesday, May 11, 2010 4:09 PM
  • Hi,

    I have a certificate form my faculty mail server https://webmail.etf.unsa.ba. I exported certificate using firefox and install it in Trusted Root Certification Authority. When I click on certificate path (in certmgr.msc) it shows "The issuer of this certificate cannot be found". How can I make status "This certificate is OK"? Operating system is Windows 7.

    Please help!

    Monday, February 07, 2011 9:43 AM