Am I missing something? (SSL)

[st4rk]

Okay, so on two test machines I had exchange 2k3 installed on Windows 2003 sp2. Was going to setup OWA with the login page. It requires SSL, so I enabled SSL on the exchange webpage and boom - no more webpage. Now it says "Page cannot be displayed". If I just try to access it via http and not https then it says "Must be viewed over secure connection".

Anyways I figure I messed something up so I build a completely new default windows 2003 service pack 1 install. Create a test website, enable ssl, and same exact thing happens.

What am I doing wrong?! I remember enabling ssl was pretty frickin easy, but I have no idea what I'm missing.

I've assigned the webpage an IP, and told it to use 443. I've unassigned the IP and that doesn't work either.

 

[st4rk]

Don't tell me you need a CA. I could swear I've setup SSL on w2k3 without a cert before.

 

[OblivionSHO]

I recently setup OWA at my office and yes, I did need to use a certificate. You can get free certificates at http://www.cacert.org/

If you find a way to do it without getting a cert (or without a server within your network that published certs) let me know.

 

[atomiser]

can't you just generate a self signed certificate from the server? granted, you would get an annoying popup each time you visit the site, but hey ho! is the ca above in the list of trusted authorities otherwise you would get the same prompt, though i guess you could just add them in?

 

[OblivionSHO]

A machine that is a "Certificate Publisher" (or whatever they call it) from my understanding cannot be on a domain, nor can it ever join a domain. If there is a way around that, I'll all ears (or eyes, in this case.)

 

[PanzerBoxb]

I would generate a self-signed certificate using OpenSSL. From your post it appears these are test boxes so you will not have to worry about users complaining.

 

[Sieravor]

As a side note, if you plan on using Direct Push for Windows Mobile 5.0 phones, you're going to want to load any self-signed/non-official certs onto the phone first. 5.0 doesn't allow you to use wildcard or self-signed certs for SSL for some reason ( you used to be able to just disable certificate checking, but alas no more).

As a side note to that, you can simply go into the phones registry uner Windows/Activesync/partners and add the DWORD "secure" with a value of "0" to the exchange partner registry section and it will disable the checking....

Sorry if this seems off topic, but trust me, if you aren't aware of the weird requirements of some of the newer windows phones, it can be a nightmare getting the active sync to work correctly.

Also, you should have a certificate authority on your network anyway, no need to go to third party sites unless you do alot of business with other companies that would require legitimate thrid party signed certs. If I'm not mistaken, the CA for server 2k3 is free (part of the OS).

 

[amenthes]

Running your own CA for just a single certificate might be more initial effort than its worth.

Personally, anything that leaves our network (web, OWA) gets a third party SSL Cert.

Back to the OP: You do have to install a certificate. Just enabling SSL does nothing. However if you are just testing and this is not yet production, you can use a built in IIS tool to generate and install a self-issued certificate. It's much simpler than installing and using OpenSSL in my opinion.

Get the IIS Toolkit:
http://www.microsoft.com/technet/pr...a36-5761-448f-889e-9ae58d072c09.mspx?mfr=true

Use the SelfSSL tool. It's very simple, one console command and you're done. Again, I personally wouldn't use this on a production server. I'd get a cheap $100 SSL cert from Comodo and call it good.

From Microsoft:

Use SelfSSL to generate and install a self-signed Secure Sockets Layer (SSL) certificate. Because SelfSSL.exe generates a self-signed certificate that does not originate from a commonly trusted source, use this tool only when you need to troubleshoot third-party certificate problems or when you need to create a secure private channel between your server and a limited, known group of users, such as exists in a software test environment. SelfSSL.exe is a command-line tool.

 

[pigster]

A machine that is a "Certificate Publisher" (or whatever they call it) from my understanding cannot be on a domain, nor can it ever join a domain. If there is a way around that, I'll all ears (or eyes, in this case.)

Then how would you ever implement things like smart cards on an AD domain?

Of course you can install a CA on a domain

 

[pigster]

. Again, I personally wouldn't use this on a production server. I'd get a cheap $100 SSL cert from Comodo and call it good.

The $20 GoDaddy certs will also do the job

 

[st4rk]

Okay now I'm really frustrated.

I installed a CA on the win2k3 server. Issued a cert, re-enabled SSL - same thing. I've tried accessing it by name, and by IP and it always says "Page cannot be displayed". I even installed a base Windows 2000 server and get the same problem! I get the box that asks me to accept the cert, I click yes and it just goes to the "Page cannot be displayed'. I've done no 128 bit encryption, anonymous access, and built in Windows Authentication, all 3 of those with varying combinations and it never works.

Argh! This is insane. I wish I could record a quick video of what I'm doing, but alas, these computers are kinda "restricted" and there's no way for me to do that. I think when I get home today I will fire up my copy of Windows 2003 and see what happens. Perhaps it's the build disks I'm using here, the particular Windows build is like Anti SSL or something.

My last resort right now is installing Windows XP and trying it on that OS.

 

[st4rk]

Ok, nm figured it out. I was issuing the cert wrong.