locked
Exchange 2010 Cert Question RRS feed

  • Question

  • I created a new SAN cert request for 2010, sent the request to vendor for processing, then once I received it back, I completed the "pending cert request" on CAS1.  I then went to CAS2 to import the cert, but there was no "Pending cert request" so instead, I imported the cert.  During the import, it prompted me for a password, but I don't recall ever setting a password.  Is there anyway around this? 
    Wednesday, February 23, 2011 4:00 PM

Answers

All replies

  • 1.       Many times this breaks your license agreement with the Certificate Authority.  It is also a best practice to generate a new CSR for server2 and submit the request to your CA for a unique certificate

    2.       If you choose to copy the certificate from server1 you need to ensure you copy the complete key pair.  Your CA doesn’t send you a certificate, but instead sends you part of the certificate, which merges with the request sitting on your generating server.  It is then the result of this merger that needs to be copied (exported/imported)

    a.       Here are some general steps for this procedure: http://www.geocerts.com/support/migrate_iis

     



    Mike Crowley
    Check out My Blog!

    • Proposed as answer by Mike Crowley Wednesday, February 23, 2011 4:12 PM
    Wednesday, February 23, 2011 4:09 PM
  • I would Generate a new request on server CAS 2 and import the Certificate as you did with CAS1
    MCP, MCSE 2000 , MCSA 2000 ,MCSA 2003 , MCITP , MCTS , MCT
    Wednesday, February 23, 2011 4:17 PM
  • I tried the option above (generated a new cert request) and imported the cert into cas 2, but get the following error:


    Cannot import certificate. A certificate with the thumbprint 5A414AE631E830D00BAACFE22A7B2D153A4E3521 already exists.

    Exchange Management Shell command attempted:
    Import-ExchangeCertificate -Server 'RAUSTPSW0211' -FileData '<Binary Data>'

    Elapsed Time: 00:00:00

    I'm confused by this process.  How do you typically apply a cert to multiple CAS 2010 servers?

     

    Thursday, February 24, 2011 12:22 AM
  • When working with SSL certs, I used the shell to do the importing as I had similar issues. Read this section on SSL certificates for Exchange 2010:

    http://technet.microsoft.com/en-us/library/bb310795.aspx

    If you have included both CAS server names in the SAN cert, it should not be an issue.

    • Marked as answer by olsonkyle12 Thursday, February 24, 2011 5:46 PM
    Thursday, February 24, 2011 12:33 AM
  • I tried the option above (generated a new cert request) and imported the cert into cas 2, but get the following error:


    Cannot import certificate. A certificate with the thumbprint 5A414AE631E830D00BAACFE22A7B2D153A4E3521 already exists.

    Exchange Management Shell command attempted:
    Import-ExchangeCertificate -Server 'RAUSTPSW0211' -FileData '<Binary Data>'

    Elapsed Time: 00:00:00

    I'm confused by this process.  How do you typically apply a cert to multiple CAS 2010 servers?

     

    Export the certificate with the private key from your first cas server , then import it on the second CAS  and enable certificate for iis service.


    MCP, MCSE 2000 , MCSA 2000 ,MCSA 2003 , MCITP , MCTS , MCT
    Thursday, February 24, 2011 2:32 PM