locked
RMS SSL certificate not valid RRS feed

  • Question

  • Hi, I apparently have a problem with the SSL certificate for RMS Services:

    - I have installed an AD-integrated self-signed PKI in the test environment.

    -- The PKI is "trusted", i.e the (self-signed) PKI certificate is found under "trusted root CAs" and "trusted signing CAs" in MMC.   

    - As for RMS on Server IRMSERV.intra.fryfish.com, I have basically followed the instructions in the MS training on Win Server 2008 AD MS CTS:

    - Created an Alias (CNAME) from Rightsmgm.intra.fryfish.com -> IRMSERV.intra.fryfish.com

    - Created a Webserver Certificate with

    --- Subject: CN=IRMSERV, DC=intra, DC=fryfish, DC=de

    --- Alternate url=Rightsmgm.intra.fryfish.com

    --- based on a Template based on the "Webserver" template.

    - Installation of RMS went smoothly. No errors etc:

    --- chose the above mentioned certificate as SSL certificate, Rightsmgm.intra.fryfish.com as URL and "default Website" for IIS server Website.

    - in office 2010, when I want to e.g. read a protected document,

    --- the system tells me it needs to connect to RMS (fine)

    --- I get the message that the certificate doesn't (!) match the requested site

    --- when I confirm to continue, the system connects to irmserv.intra.fryfish.com

    - I have installed Hotfix kb2597941 on the client machines which apparently helped connecting to RMS in the first place. ("unexpected error...")

    Any idea what's wrong? Thanks in advance - Stefan

     


    • Edited by IprefUnix Thursday, May 3, 2012 3:26 PM
    Thursday, May 3, 2012 3:25 PM

Answers

  • Hi and thanks. I think I have narrowed how to correctly setup the SSL certificate and usage (see also above):

    1) In "Alternate Subject", use "DNS=Rightsmgm.intra.fryfish.de" not "URL=Rightsmgm.intra.fryfish.de"

    "DNS=" not "URL=" (!) (My MCTS installation guide says otherwise)

    2) specifically bind that SSL certificate to your web site. By default that's the "default web site" in IIS:

    In IIS->default web site -> bindings -> HTTPS:443 -> edit -> SSL certificate -> !choose above Certificate

    Hope this Helps - Stefan

    • Marked as answer by IprefUnix Monday, May 7, 2012 11:49 AM
    Monday, May 7, 2012 11:49 AM

All replies

  • Hi IprefUnix-

    Look at the self-signed certicate in the Certificates MMC.  Go to the Details tab and then scroll down to view the Subject Alternative Name field.  That name (or names) must match the names specified in your AD RMS configuration.  Open the AD RMS console and highlight the server name in the left pane.  In the right pane, look at the intranet and extranet cluster URLs.  Any names listed there must be listed in your certificate too.

    Brian

    Thursday, May 3, 2012 6:50 PM
  • Hi Brian and thanks a lot. This is what I have:

    - Intranetcluster-URLs in AD RMS console:

    --- Licensing: https://Rightsmgm.intra.fryfish.de:443/_wmcs/licensing

    --- Certification: https://Rightsmgm.intra.fryfish.de:443/_wmcs/certification/certification.asmx

    - SSL Certificate:

    --- Subject: IRMSERV, intra, fryfish, de

    --- Alternate Saubject: URL=Rightsmgm.intra.fryfish.de

    The only difference I can see is the :443 behind the name. Can that be the problem? I thought that was supposed to be fixed with kb2597941.

    Thanks in advance - Stefan

    Friday, May 4, 2012 9:39 AM
  • The easiest fix is to add irmserv.intra.fryfish.com to the certificate (assuming that this is a single server solution).  I would recommend going away from the self-signed certificate too.  You can acquire a third-party trusted certificate at a very low cost (use GoDaddy and search for GoDaddy coupon codes) - when you do, make sure you have irmserv.intra.fryfish.com and rightsmgm.intra.fryfish.de on the certificate. 

    Regarding the :443 in the FQDNs - that has been a bit of a problem.  Microsoft released an Outlook 2010 patch that broke AD RMS when the URLs contained :443.  There are a bunch of discussions about this that you can search for.  Many people have since gone away from using :443 in the URLs.

    Brian

    Friday, May 4, 2012 3:25 PM
  • Hi and thanks. I think I have narrowed how to correctly setup the SSL certificate and usage (see also above):

    1) In "Alternate Subject", use "DNS=Rightsmgm.intra.fryfish.de" not "URL=Rightsmgm.intra.fryfish.de"

    "DNS=" not "URL=" (!) (My MCTS installation guide says otherwise)

    2) specifically bind that SSL certificate to your web site. By default that's the "default web site" in IIS:

    In IIS->default web site -> bindings -> HTTPS:443 -> edit -> SSL certificate -> !choose above Certificate

    Hope this Helps - Stefan

    • Marked as answer by IprefUnix Monday, May 7, 2012 11:49 AM
    Monday, May 7, 2012 11:49 AM