05-29-2012 10:40 AM
I'm stuck. I'm going thru the prereqs for installing UDS and it says I need a signed cert. So I requested a signed cert from my security admin and she told me to create a certificate signing request, which I did. But when she submits the request to the CA, it errors out saying it doesn't match any existing web site in our IIS. So she says I have to create the site first. But I have no idea how to create the site. Well, I mean I can click some buttons but that's guesswork and seems sloppy. The UDS installer will create the site for me, but only if I can provide the cert location and password during the setup.
So how am I supposed to get a signed cert for a site that in theory can be created from the installer which is asking for a signed cert? Is one of us doing something wrong? Or if nothing else, can someone tell me what info I need to create the necessary site in IIS? I had a look at creating a new site but the last thing I have to configure in the dialog is the SSL cert! There's a self-signed cert on the server now, thanks to the install routine, but now I'm just completely confused and have no idea what to do.
Solved! Go to Solution.
05-29-2012 10:51 AM
Here's where I'm stuck. I can't help but feel that our request for a cert signing is being done wrong. Not to blame our security admin, but I mean come on. Right here on the screen it says, would you like me to create a site? Yes? Okay, give me a signed cert please. How can I have a signed cert for a site that hasn't been created yet if our CA is demanding that we have a site before they sign the cert?
05-29-2012 10:56 AM
And here's the IIS window where I can create a new site. Once I choose https for the type, it gives me a new window where I have to do something with an SSL cert. Note the second option is the cert that was created by the UDS installer. If I create a new site here, can I not select an SSL cert, create the site, and then generate a CSR from the site and apply the cert to it later?
05-30-2012 03:55 AM
First and foremost this area of the install is so flawed in its deployment.
No you do not need to create a Site first, also your Admin is incorrect to some degree.
Follow the install docs for this section and create as per the CSR in IIS, at this point you will pause on the install goto IIS action the steps and submit your CSR to a CA.
My certificate was not generated from IIS on the UDS server, it was created on exchange when we resolved or ActiveSync requirements for access from external, at that point we included the external DNS for our UDS server as a subject alternative.
When at this point of the install I pointed to my exchange cert which has the sub alternative.
The creation of the CSR is not done at the Site level it is higher up in IIS,
Review page 16/17 of the UDS install guide.
1. Open Internet Information Services (IIS) Manager.
2. Click the server name.
3. Double-click Server Certificates.
4. Click Create Certificate Request.
5. Specify the necessary information for the certificate and click Next.
In the Common name field, you must specify the publicly accessible DNS name of the computer that you install the
Communication Module on (for example, mdm.example.com).
6. Select Microsoft RSA SChannel Cryptographic Provider and the bit length. Click Next.
7. Specify a location and file name for the CSR. Click Finish.
When we tried a trial certificate it failed at the completion of the cert request.
This is apparently a flaw in IIS 7.
This certificate area is going to drive many customers crazy and frustrate them to no end, when they are not familiar with this type of process.
05-30-2012 10:04 AM
Oh my gosh, I feel like such an **bleep**. I've read the install guide several times, especially the whole section about the cert, but while I was doing the CSR I followed the online step-by-step tutorial, which doesn't say anything special about the common name field. In fact, it just shows "RIM User", so I just typed in a generic name. Sure enough, the install guide says specifically to enter the publicly accessible DNS name for the Common name field, but I totally spaced that. uggghhhduuhhhhhh.
Thank you so much, Gareth. This was driving me absolutely crazy. I just heard back from the admin, she says "Looks like that will work". There's some other issue she has to fix first, but I think it's gonna fly. Woo! Now on to the next major problem! LOL
05-30-2012 10:16 AM
Magic, awesome. Yes that common name is the external DNS name.
The hurdle is when it is all installed and you need to set it all up to function.
Catch you then
Its been nothing but headaches for us.
05-30-2012 10:20 AM
Yeah, I'm sure I'll be back here before too long. I always do a search first but I didn't see anything on this topic. Hopefully next time I'll have better luck. Even installing Mobile Fusion Studio didn't go very well, I stumbled across a fix involving putting a copy of jvm.dll into another folder. *sigh*
05-30-2012 10:28 AM
Keep in mind using IE fails in UDS when saving anything, Use firefoxor some other Browser
Go through UDS Settings methodically top to bottom and update all that is required, in my case most, except SCEP.
Yup that DLL was this KB29778 which RIM final acknowledged.
05-30-2012 03:01 PM
Thanks for the tip, I appreciate it!! And thanks for the KB link, I needed that to add to my Evernote collection because I'm sure some day I'll need to know. Again. And it would have driven me crazy because usually I can't ever find the same article the second time around HAHAHAHA.