locked
exchange 2007 certificate error RRS feed

  • Question

  • Personal 'm breaking my head with this certificate in Exchange 2007 .

    I did the procedure to generate the certificate request via the console shell exchange 2007.

    I used the following command to generate a SINGLE CERTIFICATE for my OWA :

    New-ExchangeCertificate -DomainName webmail.domain.com.br - SubjectName " c=BR ,o=Company Name ,CN= webmail.domain.com.br" -PrivateKeyExportable:$True -GenerateRequest:$ True -Path "C :\novocertificado2013.req"

    And the command below to generate another SINGLE CERTIFICATE for autodiscover :

    New-ExchangeCertificate -DomainName autodiscover.meudominio.com.br -SubjectName " c=Br,o=Company Name,CN = autodiscover.meudominio.com.br" -PrivateKeyExportable:$ True -GenerateRequest:$ True -Path "C : \ novocertificado_2_2013.req"

    Well, so far so good !

    I sent the request for a certification validates ( RapidSSL ) . I chose SINGLE CERTIFICATE by questions of cost .

    I received the email with the valid certificate and tried to follow the tutorials on the net to import it to Exchange .

    I used the following walkthrough:

    https://support.globalsign.com/customer/portal/articles/1226878-install-certificate---microsoft-exchange-2007

    I've realized some time ago the installation of certificates in 2007 without problems following these steps , however, when I go to import my certificates on the server from a client asks me the following error message :

    [ PS ] C : \ Documents and Settings \ wadmin > Import - ExchangeCertificate -Path C : \ Intermediate_Webmail_102013.cer
    Import - ExchangeCertificate : Can not import the already there is a certificate with a thumbprint of C039A3269EE4B8E82D00C53FA797B5A19E836F47 .
    At line : 1 char : 27
    + <<<< Import - ExchangeCertificate -Path C : \ Intermediate_Webmail_102013.cer

    This certificate was purchased this week with a validity of 1 year. But honestly , do not understand why it was purchased to access the Webmail client , it shows me who already has a certificate valid until 04/10/2014 . Ie , it was purchased without once you've got it valid until the date mentioned . Anyway , with hands NEW certificate valid until 10/10/2014 I would like to update this guy ?

    Anyway , it is still my doubts with relation to the following: the THUMBPRINT this new certificate MUST be for another certificate should not be a THUMBPRINT different? ( correct me if I 'm wrong) .

    This error is happening with respect to the certificate for webmail , the certificate with the domain autodiscover.meudominio.com.br not yet come for me , and once you get when trying to import , it gives an error, post here for more details .

    Another DOUBT , is that the email arrived two files to be generated the certificate , one is the Web Server and the other is CERTIFICATE INTERMEDIATE CA .

    Where should I use each? How to use ? Somebody give me a light?

    Thanks in advance .


    Albert Alberico dos Santos

    Friday, October 18, 2013 6:54 PM

Answers

  • The thumbprint should be unique for each certificate -- unless you renewed the old certificate and asked to keep the same key.

    If you want to use the new certificate you can remove the old one from the certificate store and then import the new one.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Saturday, October 19, 2013 4:14 PM

All replies

  • The thumbprint should be unique for each certificate -- unless you renewed the old certificate and asked to keep the same key.

    If you want to use the new certificate you can remove the old one from the certificate store and then import the new one.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Saturday, October 19, 2013 4:14 PM
  • How do I remove the old certificate? This would be done by own exchange?

    Albert Alberico dos Santos

    Monday, October 21, 2013 12:04 PM
  • Hi

    You would use the Certificates MMC snap-in (Computer option) and look in the Personal certificate store.

    Steve

    Monday, October 21, 2013 12:38 PM
  • Rich, thank you!
    I'm from Brazil, and I'm still having a problem with the autodiscover certificate.

    Would you be able to give me a hand with this problem too?

    Follow the link to open the post:

    http://social.technet.microsoft.com/Forums/exchange/pt-BR/ceaa5e30-d484-4b82-b637-7eafe9db0549/problemas-com-certificado-valido-autodiscover?forum=exc2007pt

    You can use http://translate.google.com and translate from Portuguese (Brazil-BR) into English.

    If you can add me on Skype too, because the customer is almost canceling the contract due to this problem that I am not able to solve.

    I await your help.


    Albert Alberico dos Santos

    Monday, October 21, 2013 1:16 PM
  • How do I remove the old certificate? This would be done by own exchange?

    Albert Alberico dos Santos

    Hi,

    We can use Remove-ExchangeCertificate -Thumbprint C039A3269EE4B8E82D00C53FA797B5A19E836F47 to remove this same certificate. Then please running Import-ExchangeCertificate to install the new one.

    Additionally, as what Rich Matheisen says, we can also use Microsoft Management Console(MMC) to remove it:

    1.  Start > Run, type “MMC” and enter.
    2.  In the open window, click File > Add/Remove snap in…
    3.  In the Available snap-ins tab, select Certificates > Add > Computer account > Local computer.
    4.  Click “Finish” and “Ok”.
    5.  Expand Certificates > Personal > Certificate.
    6.  In the right result pane, please find the old certificate and you can delete it.

    Hope it helps.

    Thanks,
    Winnie


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

    Monday, October 21, 2013 3:43 PM
  • Use the MMC "certificates" snap-in. Select "Computer Account" and the "Local Computer" as the source.

    Find the cert in the "Personal" container and delete it (if you want to feel all warm and fuzzy you can export the certificate and its private key to a file before you delete it).


    --- Rich Matheisen MCSE&I, Exchange MVP

    Monday, October 21, 2013 10:02 PM
  • If you're a "typical" Exchange organization you'll use a SAN/UCC certificate with multiple names. If you want to use just one certificate for everything you can do that, but it requires the use of a SRV record in your DNS.

    This is for Exchanger 2010 but should still apply to 2010:

    http://support.microsoft.com/kb/940881/en-us

    This might help, too:

    http://blogs.technet.com/b/exchdxb/archive/2012/05/10/troublshooting-autodiscover-exchange-2007-2010.aspx

    PS: It doesn't matter where you are -- the Internet's everywhere. :-)


    --- Rich Matheisen MCSE&I, Exchange MVP

    Monday, October 21, 2013 10:07 PM