Messing about with SSL certs all day due to Windows 2012 gui problems

[Dieselboy]

Spent a long time renewing our SSL cert for our SSO/ADFS3.0 set up today, which included a ADFS proxy on Windows 2012.

Renewing the cert took 10 mins if that. The problems started from there.

In short, I was getting an error from both servers (the ADFS itself AND the proxy later one) which explained that the SSL certificate did not meet the requirements for an SSL cert. I spent ages comparing the new cert to the old cert and the new cert had everything the old one had. The only difference was that the new one had an extra statement and contained both:

Ensures the identity of a remote computer
Proves your identity to a remote computer

Whereas the old cert only had "Ensures the identity of a remote computer".

Installing the cert on the Win2012 system was no problem. As I re-used the same private key to generate the CSR, the private key was already on the system. However Win2012 for some reason did not pair everything up and did not say "you have a private key that matches this cert".
To overcome that, I needed bundle all the root/intermediate/client certs together in a text file, then use a tool to make a .pfx which included the private key again. I then installed this as a bundle on the server.

The next problem was the big one, Windows ADFS said that the cert is not a suitable SSL cert.

So to overcome the next issue I deleted the cert from the MMC/Certificates snap in. Then, when you install and configure ADFS it gives you the option to import the cert. I clicked on this import button and selected the same .pfx I created already. Then ADFS installed fine.
NOTE!!- I think if you use powershell to do the configuration, then it might not complain about the SSL issue.

So sadly, although I had to remove and reconfigure ADFS to work around this problem, I now have a working SSO server for internal users. Next was to set up the proxy although I had the same issue again there - SSL cert not suitable.

With the Proxy, before it goes and applies the config that you selected in the gui; it does provide you with the powershell CLI commands. I copied these commands to notepad and then run them in powershell. This worked around the issue with the gui saying the cert is not SSL suitable.

Took me a while but omg FFS. Thought I'd mention here to save people trouble!

[deanwebb]

I got to the last sentence and thought, "Wait, this is the first mention of the FFS utility... what does it do?"

Then I remembered it's an acronym for something else, like "Why did you shut down the core routers, FFS!"

I am still waking up, that's my excuse.

***

But, yes, deleting and replacing the cert can often fix issues, as it resets the expectations of the cert on the part of the OS. Get a clean start, and all goes well. Pretty much that way with everything in Windows, which is why I hate to upgrade it.

[Dieselboy]

No matter how many times I deleted and re-added the thing it would not work for the proxy! I think Windows 2012 has a bug and this was causing me the problems with the cert. Because entering the powershell CLI commands did not have any issues and worked fine!

PS> startSSL are now providing 3-year SSL certs for FREE as standard with up to 10 hostnames/domains (no wildcard). So this means that by next year, all my stuff will have 3 year certs Niceeeee

[wintermute000]

So theoretically with the first server, the powershell commands would have solved it?

[Dieselboy]

I think so!