locked
Import certificate in Exchange 2007 RRS feed

  • Question

  • Hello,

    I have a problem importing a trusted certificate in Exchange 2007.

    Here is what I have :

    • cert.chain.crt (the intermediate certification authority from what I understand)
    • cert.csr file
    • cert.crt file
    • cert.pem file (which is a RSA PRIVATE KEY)
    • I don't have any pending certificate request in the Certificates MMC

    The certificate is provided by SSL247 and is validated by GlobalSign Organization Validation CA - G2 intermediate certification authority.

    I did the following :

    • import the intermediate certification authority (cert.chain.crt) on my CAS computer using the MMC
    • from the Exchange Management Shell :
    • Import-ExchangeCertificate -Path mycert.crt
    • Enable-ExchangeCertificate -Services IIS

    When I run that last command, I get an error :

    Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server(reason: PrivateKeyMissing).

    I tried the solution found here : https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1188

    but it's not working.

    When I run 

    certutil -repairstore my "SerialNumber"

    I get the following error :

    =============== Certificate 1 ================
    (...)
    No key provider information
    Cannot find the certificate and private key for decryption.
    CertUtil: -repairstore command FAILED: 0x80090010 (-2146893808)
    CertUtil: Access denied.PS 
    C:\Users\Administrator.>

    From what I understand since the beginning and based on my search, the main problem would be that the Certificate Signing Request has not been issued from my CAS server.

    I m new to this kind of problematics, any advice would be much appreciated.

    Thank you,

    Yoann


    Thursday, March 22, 2012 12:26 PM

Answers

  • You don't need to mess with openssl, when you generate the csr request the private key is used which is on the server you generated from. When the cert comes back from the CA you have to finish the request which will combine with the private key which is why it's typically done on the server it was generated from. You don't need to do the openssl manually to finish the request though you can if you have the private key exported. Just generate the CSR from your CAS server using powershell not IIS and resend to the CA.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com


    • Edited by Jamestechman Thursday, March 22, 2012 4:36 PM
    • Marked as answer by Gavin-Zhang Wednesday, April 4, 2012 6:12 AM
    Thursday, March 22, 2012 4:35 PM
  • Hi snoopscratchy,

    Sure, you are right, you could get some information from here.
    If you use the wildcard CERT, there will be some issue with ActiveSync.

    Regards!

    Gavin

    TechNet Community Support


    • Edited by Gavin-Zhang Monday, March 26, 2012 7:54 AM
    • Marked as answer by Gavin-Zhang Wednesday, April 4, 2012 6:12 AM
    Monday, March 26, 2012 7:46 AM

All replies

  • Yes that could be the issue, where did you do the cert request from? You need to finish the csr request with the answer file from your CA on the same server you issued the request. Once that's done you can just export the cert with the private key to your CAS server.

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Thursday, March 22, 2012 3:18 PM
  • Hello,

    Thanks for you answer.

    It seems that the CSR has been provided by the Certification Authority with the .crt, .pem and chain.crt files (I haven't been the one issuing the request).

    I found the following command :

    # Generate a pfx from crt and key with intermediate CA
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

    which I translated in my case to

    openssl pkcs12 -export -out cert.pfx -inkey cert.pem -in cert.crt -certfile cert.chain.crt

    I then got a pfx file but still the same problem when running 

    Enable-ExchangeCertificate -Services IIS

    or trying to repair the store...

    I will ask tomorrow the person who made the request if he had done anything special, but I am sure the CSR hasn't been issued from my CAS server. Another collegue told me that there were 2 ways to make a trusted certificate request :

    • generate a CSR and contact your signin organization (GlobalSign, ...) to get the signed certificate
    • ask the signin organization to do all the stuff for you (csr, crt, key)

    Is this correct or may he be wrong ?

    Thanks again !

    Yoann

    Thursday, March 22, 2012 4:16 PM
  • You don't need to mess with openssl, when you generate the csr request the private key is used which is on the server you generated from. When the cert comes back from the CA you have to finish the request which will combine with the private key which is why it's typically done on the server it was generated from. You don't need to do the openssl manually to finish the request though you can if you have the private key exported. Just generate the CSR from your CAS server using powershell not IIS and resend to the CA.


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com


    • Edited by Jamestechman Thursday, March 22, 2012 4:36 PM
    • Marked as answer by Gavin-Zhang Wednesday, April 4, 2012 6:12 AM
    Thursday, March 22, 2012 4:35 PM
  • Ok thank you,

    I will try it this way and keep you informed as soon as I have a result :)

    Yoann

    Friday, March 23, 2012 8:33 AM
  • One more point :

    our certificate is a wildcard certificate, if we issue a CSR from our Exchange Server, will the certificate we receive from the certification authority will work with other services that requires this wildcard certificate ?

    Thank you.

    Friday, March 23, 2012 9:33 AM
  • Well 

    I guess yes as long as I export the cert and private key from my exchange server to import them on a new server, can someone confirm ?

    Friday, March 23, 2012 10:29 AM
  • Hi snoopscratchy,

    Sure, you are right, you could get some information from here.
    If you use the wildcard CERT, there will be some issue with ActiveSync.

    Regards!

    Gavin

    TechNet Community Support


    • Edited by Gavin-Zhang Monday, March 26, 2012 7:54 AM
    • Marked as answer by Gavin-Zhang Wednesday, April 4, 2012 6:12 AM
    Monday, March 26, 2012 7:46 AM