Makecert.exe for CUPS Calendar Integration

Unanswered Question
Jan 11th, 2010

Hi Forum,

I have a CUPS 7.0 server installed and wish to configure calendar integration.  I've installed an existing self-signed certificate from the OWA and configured the Exch service user, etc.  However, I just don't see the CUPC status change when a user is in a meeting or not when I create or delete meetings from their Outlook Calendar.

In the Presence Engine logs I see the following errors:

|<CLID::StandAloneCluster><NID::srvprs01><LVL::Detailed><MASK::0800>

01/11/2010 13:12:33.511 EPE|system.pe.pa.owa.backend 2065342 ERROR ExchangeSession: 0x09f96b68 ssl problem(s): CERTIFICATE_AUTHORITY_SIGNATURE_NOT_TRUSTED - rejected

|<CLID::StandAloneCluster><NID::srvprs01><LVL::Special><MASK::0800>

|<CLID::StandAloneCluster><NID::srvprs01><LVL::Detailed><MASK::0800>

01/11/2010 13:12:33.511 EPE|system.pe.pa.owa.backend 2065342 ERROR -->CalendarSubscription::initiateRecovery: [email protected] SUBSCRIBE 1 TLS error - check certificate; Server certificate verification failed: issuer is not trusted

When I've checked the certificate again I can see it does not have the CA bit set (so the Subject Type=End Entity, and not CA).

As I understand from the available documentation that CUPS will not trust this certificate without this bit being set.  This means that I need to ask the Exchange engineer to use makecert.exe to create another self-signed certificate - which will be exactly the same as the previous one, with the exception of the CA bit being set.  The Exchange engineer has asked me about if he runs the makecert on the OWA - will it mean he needs to change the certificates on all the devices that are currently using OWA?  I'm confused by this as well, from my understanding he will have to do this as you can only have one certificate active at one time...  Or can I just create the certificate and then use it on CUPS only without interfering with anything else...

Does anyone with knowledge of makecert or having followed a similar path have any comments or help?

Thanks in advance!

Michael.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
htluo Mon, 01/11/2010 - 08:08

Generally speaking, you can have only one cert for Exchange.

On the other hand, when we talking about "certificate", we are actually talking about the certificate for OWA (Outlook Web Access), which is basically a web server.  For Exchange, the OWA (web server) was hosted by IIS (Internet Information Server).  You may create multiple "virtual servers" (instances) on IIS to serve the same Exchange.  If you do that, you could have multiple certificates assigned to multiple instances.

Makecert.exe doesn't have to be run on the server.  All it does just create a certificate file based on the command line paramenters.  The benifits of running it on the server is you can have it put the certificate into the cert store for you (otherwise, you'll have to install the cert yourself).

For more details on CUPS Calendar Integration (including syntax on makecert.exe), please see: http://www.lulu.com/content/5552336

Thanks!

Michael

Actions

This Discussion