Install an Exchange 2010 SSL certificate without a CSR?

All replies

• 

  

  0

  Sign in to vote

  Hi,

  In order to install a certificate on Exchange, you need to install both the private key and the public key. CRT files only include the public key which means Exchange will not be able to use it. If you have this certificate in use on another server then you can export a certificate with the private key which will be a .PFX file. You can then import this into Exchange. 

  If this cannot be done then you need to configure Exchange not to use .local names then you can create a new CSR and get a certificate for your .com domain names only. To do this, run all of the commands listed in this article: https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm. This way you can create a certificate that only includes mail.domain.com and autodiscover.domain.com and doesn't require any domain.local names. This should be done as .local names will no longer be allowed on public CA certificates.

  Thanks.

  ---

  Please mark as an answer if this answers your question

  Mark Gossa

  MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

  Blog: http://markgossa.blogspot.com

  Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

  • Proposed as answer by jim-xu Wednesday, October 14, 2015 7:10 AM

  Tuesday, October 13, 2015 10:12 PM
• 

  

  0

  Sign in to vote

  Thanks, Mark!

  I had previously generated a "renew" cert request on the Exchange server back at the end of July when we had to renew our 10-slot UCC cert with GoDaddy.com.  I imagine that our IE/IT department used that same renew request to process the new cert from GoDaddy that has the "domain.local" information stripped out of it.

  Can I simply use an import command in the Management Shell to import that .crt file or do I need to generate a new CSR or a new "renew" request?  Or...do I need to generate a new CSR and remove any .local references from the Exchange Configuration (Services) section of the wizard then get it resigned at GoDaddy.com?

  Joe

  Wednesday, October 14, 2015 3:17 PM
• 

  

  0

  Sign in to vote

  Hi,

  When a certificate request is made on Exchange, there is a pending certificate request on Exchange. The private key is created on Exchange and the CSR is sent to GoDaddy to create certificate. When you download the CRT from GoDaddy this doesn't include the private key but when you import the certificate into Exchange, Exchange puts the certificate together so you will then have a private and public key which you can use for Exchange services. 

  So, if there is a pending request then you can complete it but if there is an error then most likely this CRT does not relate to this particular pending request. If this is the case, you need to complete the pending request on the server that was used to create the CSR and then export the certificate with the private key (.pfx) then import this into Exchange and assign the services. 

  The full process of generating a CSR with Exchange, importing it and assigning it to services can be found here: http://markgossa.blogspot.com/2015/09/exchange-2013-install-certificate.html.

  In short, you can import the CRT if you have a pending request relating to that CRT. If not, you need to either import the certificate on the server that was used to create the CSR or create a new CSR using Exchange.

  Thanks.

  ---

  Please mark as an answer if this answers your question

  Mark Gossa

  MCSE 2003, MCITP Enterprise Administrator 2008 R2, MCSA 2012 R2, MCTS Exchange 2010

  Blog: http://markgossa.blogspot.com

  Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

  • Marked as answer by Joe OConnor - Harron Thursday, October 15, 2015 7:36 PM

  Wednesday, October 14, 2015 5:05 PM
• 

  

  0

  Sign in to vote

  I managed to get the certificate installed.  Here's what I had to do:

  1. Clicked the "Renew Exchange Certificate" open in the Management Console (since it was assumed that we had used the last renewal request file to have GoDaddy.com resign the certificate and strip out the domain.local information).

  2. Create a .req file on the Exchange server.

  3. Complete the pending request using the certificate file that our IE/IT department sent (the intermediate bundle certs were already on the Exchange server).  I just had to copy and rename the certificate as a .CER extension for the process.

  4. Assign services to the new certificate.  During this step, I received an error concerning the certificate and thumbprint.

  5. I ran the following command on the Exchange server at an administrative command prompt: certutil -repairstore My "Thumbprint".  I followed the instructions listed here:

  http://geekphreek.com/exchange-2010-certificate-request-not-completing/comment-page-1/

  6. After the command completed, I refreshed the Management Console and the certificate was present.  I had to remove the pending request, though, manually.

  7. The certificate did NOT have a friendly name assigned to it so I had to run mmc and the Certificate snap-in and modify the certificate listed under Personal\Certificates to add the friendly name of mail.domain.com.  A refresh of the Management Console then showed the friendly name in the listing.

  I tested OWA, Autodiscover and Outlook Anywhere (all internally and externally) with no issues.

  Thanks for the help!  Much appreciated!

  Joe

  • Marked as answer by Joe OConnor - Harron Thursday, October 15, 2015 7:36 PM

  Thursday, October 15, 2015 7:36 PM