Citrix NetScaler – ‘Certificate is not a server certificate’

KB ID 0001191 

Problem

While attempting to bind a certificate to a Virtual Server on my NetScaler this happened;

Error
Certificate is not a server certificate

 

Solution

Before you proceed, delete the problem certificate to avoid confusion!

I had generated this certificate with Microsoft Certificate Services, and I had made a wildcard certificate like so;

Certificate Services – Create a ‘Wildcard Certificate’

Remember if you use the standard ‘Web Server’ template then this does not allow you to export the private key of a certificate, so clone your template and allow the private key to be exported, then use that cloned template to create your wildcard cert.

Open the certificate on a Windows machine  > Install Certificate.

Select ‘Local Machine’  > Next.

Manually put the certificate in the ‘Personal’ container > OK > Next.

Now open an MMC console (Start > Run > mmc {enter}) File > Add Remove Snap-in > Certificates > Select ‘Local Computer’ > Open Personal > Certificates > Locate your cert > All Tasks > Export.

Note: Make sure there is a small key icon over the cert, if not create a new one or follow this article.

Yes ‘Export the private key’, (if you don’t see this page, then you have done something wrong).

Export as PKCS 12 (PFX) > Next.

Set a password, (you will need this in a minute, so don’t forget it) > Next.

Save the exported cert with a pfx extension > Next.

OK

Now EXPORT THE CERT AGAIN, this time you DO NOT want to export the private key. This time you want to export it as Base 64 (CER) > Follow the wizard and save it in the same location as the PFX file you exported earlier.

So now you should have two exported certificates like this;

Log into the NetScaler > Configuration > Traffic Management > SSL > Import PKCS#12.

Set the Output Name file to have a .key extension and call it something sensible > Browse to your PFX file > Enter the import password > set a PEM Passphrase, (set it the same as the export password for simplicity) > OK.

Now navigate to Configuration > Traffic Management > SSL > Certificates > Add.

 

Again give it a sensible name that you can identify like the FQDN, call it certificate and you will have problems down the line when you have loads of certificates! For ‘Certificate File Name’ browse to the .CER file you exported earlier. For ‘Key File Name’ browse the appliance and select the .KEY file you created above. Type in the PEM password > Install.

You can now assign this certificate without error.

 

Related Articles, References, Credits, or External Links

NA

Why Securing Your VPN Solution With Computer Certificates ‘Only’ Is A BAD Idea

KB ID 0001055 

Problem

After a large AnyConnect 4 roll-out, I had the following conversation with a client;

Client: Can we change the way the clients authenticate?
Me: Yes, no problem what do you need?
Client: Well instead of user based certificate authentication, we want to use computer certificates only.
Me: Really why?
Client: So when we roll out a lot of imaged new machines we don’t need to get the users to log onto them and get a user certificate before they can be deployed.
Me: If we can, and user exports the cert onto another device, that device will be able to connect as well.

I then pondered on just how difficult this would be to do. I had a fully working (certificate based) VPN solution running on the bench that I’d used to ‘proof of concept’ the clients requirements. Why don’t I attempt to compromise that for educational purposes 🙂

Disclaimer: As stated, this post is for educational purposes only, not so you can get a free VPN or Wireless connections.

Solution

1. By default computer certs issued by Microsoft Certificate Services have their private key marked as ‘non exportable’ to stop people doing things like this. But just because Windows wont let you do this does not mean you can’t do it. Here I’m using Mimikatz 2.0 to handle that.

[box]privilege::debug[/box]

  [box]crypto::cng[/box]

  [box]crypto::capi[/box]

  [box]crypto::certificates /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE /store:MY /export[/box]

2. All being well you should see something like this.

3. All your computer certs (in this case I only have one so I don’t have to hunt though them) will be in the Mimikatz directory.

4. Import the certificate on a machine that does not have one. (Or an iPad, phone, tablet, MAC, Linux box etc.)

5. Connect without error on the new machine.

The moral of the story is, where possible don’t rely on computer certificates on their own, couple them with user-names/passwords or two factor authentication.

 

Related Articles, References, Credits, or External Links

NA

Migrate Exchange 2010 to Exchange 2016 (& 2013)

Part 3

Migrating Certificates and Decommissioning Exchange 2010

KB ID 0000816

Problem

Continued from Migration From Exchange 2010 to Exchange 2016 Part 2

Solution

Exchange 2013/2016 Migration Step 8 Migrating Certificates from 2010 to 2016

Only consider doing this if you have a purchased (i.e. NOT using a self signed) certificate on your Exchange 2010 server. Bear in mind if you have the internal FQDN of your Exchange 2010 server as a SAN (Subject Alternative Name), then you cannot renew the certificate if it lasts longer than November 2013, so you might want to purchase a new one anyway.

Also make sure the public name of the server resolves to the public IP of the new server (or you change the port forwarding for HTTPS traffic to point to the new server).

1. On the Exchange 2010 Server > Launch the Exchange Management Console > Server Configuration > Select the certificate > Export Exchange Certificate.

2. Select a location to save the exported cert > supply a password > Next.

3. Finish.

4. On the Exchange 2013/2016 Server > Launch the Exchange Admin Center > Servers > Certificates > Select the ‘more options’ icon > Import Exchange Certificate.

5. Put in the path to where you saved the exported cert, and the password you used > Next.

6. Add in the Exchange 2016 Server > Finish.

7. Select the new certificate > Edit > Services > Select the service for which you want to use the certificate. Note: I don’t have Unified Messaging so I’m selecting all the other options > Save.

8. Answer ‘Yes’ to replace the self signed certificate that Exchange 2016 installs by default.

9. You can then open Outlook Web Access and give it a test (Remember to change the DNS records so that the Common Name on the certificate points to the new Exchange 2016 server).

Exchange 2013/2016 Migration Step 9 Decommissioning Exchange 2010

Before doing this: Have a quick common sense check!

  • Do you need to migrate any Transport rules? (For Exchange Disclaimers etc).
  • Do you need to change any Journaling settings for your third party Email Archive solutions etc.
  • Do you need to replicate ant receive connectors from the old email server to  the new one? (For Scanners, Photocopiers, SharePoint, SQL Mail, SAP, etc).

1. Before we can retire the old server we need to remove its databases, even though we have moved all the user mailboxes, If you try and delete the database it will complain that’s its not empty. This is because it will have either Archive or Arbitration mailboxes in it. To see, execute the following commands;

[box]

Get-Mailbox -Archive
Get-Mailbox -Arbitration

OR, If you have multiple source databases use the following syntax,

Get-Mailbox -Archive  | fl name,database
Get-Mailbox -Arbitration  | fl name,database

[/box]

As you can see (in the diagram below) I have Arbitration mailboxes left in the old Exchange 2010 database, to move them use the following command, Note: Execute this command from the Exchange 2013 Server!

[box] Get-Mailbox -Database “Mailbox-Database” -Arbitration | New-MoveRequest -TargetDatabase “Mailbox-Database-2016“[/box]

Obviously if you have archive mailboxes use the same command, but substitute archive for arbitration.

Note: Update 04/11/13 (Credit to Jeroen Bonenberg)

You may also have a Discovery Search Mailbox that will need migrating. To do so, use the following syntax.

[box]New-MoveRequest DiscoverySearchMailbox* -TargetDatabase “Mailbox-Database-2013[/box]

2. Wait a while and then check that they have moved. Note: You can check status with ‘Get-MoveRequest’.

3. In the Exchange Management Console > Organization Configuration > Mailbox > Database Management > Select the mailbox database > right click > Dismount Database.

4. Now Remove the database > Yes.

5. OK.

6. Offline Address Book Tab > Default Offline Address Book > Remove > Yes.

Note: If this OAB is still in use you will NOT be able to remove it, Go to the Address Book Policies tab > Change the default OAB from the 2010 one to the 2013 one.

7. If you try and remove the public folder database it will complain that it contains replicas, which you cant remove. The easiest way I’ve found to remove it is as follows. Dismount the public folder database.

8. Then delete (or move if you are paranoid) the database file (.edb file) and the logs for this database.

9. Then mount the database > Yes to all > It will mount a blank empty database.

10. You can now delete the database without error.

11. OK.

12. Close Exchange System Manager > Start > In the search/run box >appwiz.cpl {Enter} > Locate Microsoft Exchange Server 2010 > Uninstall.

13. Next.

14. Untick all the installed roles > Untick Management tools > Next.

15. Uninstall.

16. Finish.

Exchange 2013/2016 Migration Step 9 ‘Finish Up’

Remember if you are keeping this server, you might want to delete all the database files which get left behind. You will also want to change your backup software so that it is pointing to the new mailboxes/databases.

Related Articles, References, Credits, or External Links

Thanks to Shawn Welker for the Arbitration/Archive feedback
Thanks to leandro.chiesa for the OAB feedback