Search This Blog

Wednesday, October 26, 2011

Oh Certificate where art thou

A few days back i had to replace the external certificate on an edge server with a new third party certificate. I created a new certificate request (with private key) and mailed it to the guy who was responsible for requesting the certificate with VeriSign. Moments later i received my SAN certificate.

I logged on to the edge server and opened the Lync Deployment Wizard to import the certificate using the GUI. I select import new certificate and browsed to the path where i placed the certificate. Clicked import, and verified that the command completed successfully.

In the same window I now ran the assign new certificate wizard, to assign the newly imported certificate to the external interface of the edge server. To my surprise I could only select one of the old certificates. The newly imported certificate could not be seen.

I wondered if something went wrong during the import, so I opened the local computer certificate store. Well nothing wrong to see here, the certificate is nicely imported in the local personnel certificate store of the computer. Clicked the Refresh button in  the deployment wizard, ran the assign new certificate again, but still no luck.

Damn, what is going on here? Ghost in the machine? You know what, i will start all over again. So  removed the certificate from the local certificate store. Opened the deployment wizard, imported the certificate using the wizard. Again the wizard told me the certificate imported successfully. But the greater was my disappointment, when i discovered that the certificate was still not present.

Ok, had it using the GUI, will use Powershell this time, that will always work. Imported the certificate using powershell, and tried to assign. No, still no certificate available. Ok, this is really the Ghost in the machine, you know those days when you cant seem to achieve anything.

Tried all over again, but this time i checked the html files which are created in the temp folder by lync (%userprofile%\appdate\local\Microsoft\temp). Although the wizard reported that the command completed successfully, I could see that the certificate was not imported. As reason the log file logged the following: Certificate already present or could not process the private key.

Opened the local computer certificate store, and now saw something fishy. The old certificate, which was generated by the internal CA, had a key displayed in the icon for the certificate. The new certificate, although present did not display that key. The picture below displays a certificate which has a valid private key.

That convinced me that there was something wrong with the private key of the certificate. I have seen this situation in Exchange, and has been widely documented on the internet, but never saw it in Lync before. Nevertheless we are talking about certificates no matter where they are applied to. So this made me decide to use the same sollution, which is repairing the certificate using Certutil.

Opened the certificate, clicked the Details tab and copied the serial number of the certificate.

 Then opened a dos-box in administrative mode, where i used following command:
Certutil -repairstore my "xx xx xx xx xx xx xx" (where x is the serial number of the certificate).
Which gave me following result:
Open the deployment wizard and could successfully assign the certificate this time. You see experience comes in handy ;) !

Discovered a bit later that the friendly name was missing from the certificate when i opened the certificate wizard (Deployment Wizard). You can also assign a friendly name to the certificate using certutil.

Required steps:
First you need to create a inf file that contains the friendly name you wish to assign to the certificate. Open notepad and insert following text:

Signature = "$Windows NT$"
11 = "{text}Friendly Name

Adjust Friendly Name to the friendly name you wish to assign to your certificate. Save the notepad as an INF file in certain directory. I used C:\Temp\FriendlyName.inf.

Second, open the command prompt in administrative mode, and type following command:
Certutil -repairstore my "xx xx xx xx xx xx xx" (where x is the serial number of the certificate) C:\Temp\FriendlyName.inf

Reassign the certificate in the certificate wizard and you will see that the certificate now displays the friendly name you have defined in the inf file.


1 comment:

  1. this was a great post I never found anywhere else, and came in handy this time for pretty much locked down network for security. Great thanks to you.