Q216422: Exchange Specific Policy Module for Certificate Server disables
Article: Q216422
Product(s): Internet Information Server
Version(s): winnt:1.0,5.5
Operating System(s):
Keyword(s):
Last Modified: 28-JUN-2001
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Certificate Server version 1.0
- Microsoft Exchange Server, version 5.5
-------------------------------------------------------------------------------
SYMPTOMS
========
Microsoft Exchange Server 5.5 SP1 includes an Exchange Server policy module for
Microsoft Certificate Server 1.0. This policy module allows Exchange Server's
Key Management Server to directly interact with Certificate Server to issue SSL
keys to e-mail clients.
When this policy module is applied to the Certificate Server, it will no longer
be able to fulfill certificate requests through its Web interface. When you
browse to the Certificate Server Enrollment tools and create a request for a new
client or server key, the following error occurs:
Error!!!
Certificate Server is unable to process your request.
Last Status Error Code = 0
Please verify that you are submitting a valid request or contact your
Certificate Authority for assistance.
CAUSE
=====
This is by design. The Exchange Server policy module disables the Certificate
Server Web interface. When the Exchange Server policy module is installed to a
Certificate Server, it can only be used by that Exchange Server computer.
RESOLUTION
==========
To resolve this problem, set up and configure multiple Certificate Servers.
Configure the first Certificate Server as the Root Certificate Authority for
your organization and the second Certificate Server as a Subordinate Certificate
Authority to your Root Certificate Authority.
Install the Subordinate Certificate Authority on your Exchange Server computer.
This Certificate Server is for the exclusive use of your Exchange Server's Key
Management Service.
WORKAROUND
==========
As noted in the Microsoft Windows NT Option Pack release notes, Microsoft
Certificate Server 1.0 does not officially support certification authority
hierarchies. However, several of the key capabilities of a "certification
authority hierarchies" feature do work and can be used in an implementation with
Exchange Server to achieve most of the desirable characteristics of
certification authority hierarchies.
Installing a Certificate Server Subordinate Certificate Authority
-----------------------------------------------------------------
A Certificate Server subordinate Certificate Authority (CA) is a certifying
authority that issues certificates and CRLs, but does not sign certificates. The
subordinate CA must submit certificates to a root CA to be signed.
Before you install the Certificate Server subordinate CA, you must install
Internet Explorer version 4.01 or later on the server computer. You must also
create a shared directory where Certificate Server will store certificates. The
Windows NT Everyone account should have read permissions on the shared
directory.
After you install the Certificate Server, you need to install the Exchange Server
policy module and Certificate Server hotfix before the Certificate Server can
use Key Management Server.
To install a subordinate CA, perform the following steps:
1. Run the Windows NT Option Pack 4.0 Setup program and choose Custom.
2. On the Components page, select Certificate Server, and then choose Show
Subcomponents.
3. Select Certificate Server Certifying Authority, and then choose Next.
4. On the Microsoft Certificate Server page, in the Shared Folder box, enter the
path to the shared certificate directory on the CA computer, and then choose
Next.
5. Select Show Advanced Configuration, and then choose Next.
6. In the Hash Algorithm box, choose SHA-1.
7. Select Non-Root CA, and then choose Next.
8. Type the information describing your CA, and then choose Next.
9. After you restart the computer, install the Microsoft Exchange Server policy
module and the Certificate Server fix found in Service Pack 4 for Windows NT.
Creating Trust Between a Subordinate CA and a Root CA
-----------------------------------------------------
The Certificate Authority service will not start automatically until you obtain a
certificate from another CA using the request file in the Certs directory. Copy
the certificate from the CA directory to the Certs directory, and then run the
Certificate Server Hierarchy Configuration tool (Certhier.exe) to establish a
trust relationship between the root CA and the subordinate CA.
To create a trust relationship between a subordinate CA and a root CA, do the
following:
1. From the Certs directory on the subordinate CA computer, copy the .req file
to a disk.
2. At the root CA computer, log on as an Administrator.
3. From the command prompt, type the following command:
certreq a:\filename.req a:\ filename.crt
4. From the shared certificate directory, copy the signature file of the root CA
to the disk. The following files are now on the disk:
<B7> SubMachineName_SubCAName.crt
<B7> SubMachineName_SubCAName.req
<B7> RootMachineName_RootCAName.crt
5. From the subordinate CA computer, copy the root CA signature file to the
Winnt\System32 directory, and name it RootCa.crt.
Note: This file must be copied as RootCa.crt not
RootMachineName_RootCAName.crt, where RootMachineName is the name of your
computer, and RootCAName is the name of your CA.
6. Copy the new signed .crt file and the original .req file from the disk to the
shared directory.
Note: The subordinate CA certificate is SubMachineName_SubCAName.crt where
SubMachineName is the name of the computer where the subordinate CA is
installed, and SubCAName is the name of the subordinate CA.
7. Verify that the following registry key value exists (if not, add a new string
value):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
\<I>SubCAName</I>\HierFileName
where SubCAName is the name of the subordinate CA. Set the value of the
registry key to path SubCAName, where path is the complete path to the shared
certificate and SubCAName is the name of the .req file without the .req
extension. For example:
c:\certs\SubMachineName_SubCAName
8. From the command prompt, run Certhier.exe.
9. In Control Panel, double-click Services, and then start the Certificate
Authority service.
MORE INFORMATION
================
For more information on the setup and configuration of Certificate Server,
please read your Certificate Server documentation.
For more information on Exchange Server 5.5 Service Pack 1 and the Exchange
Server policy module for Certificate Server, please download and read the
following:
Microsoft Exchange Server 5.5 Service Pack 1 Readme
For more specific information on Microsoft Certificate Server and Microsoft
Exchange Server 5.5 Service Pack 1 interaction, please see the following:
http://www.microsoft.com/technet/iis/
Additional query words:
======================================================================
Keywords :
Technology : kbExchangeSearch kbExchange550 kbZNotKeyword2 kbCertServSearch kbZNotKeyword3 kbCertServ100
Version : winnt:1.0,5.5
Issue type : kbprb
=============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.