none
Error "The certificate is invalid for Exchange Server usage" when I import my current Exchange 2003 COMODO cert into my 2010 test lab RRS feed

  • Question

  • I'm currently on Exchange 2003 and have created a test lab to test the migration from Exchange 2003 to 2010. Just for grins I tried exporting the certificate (.pfx with private key) from my current Exchange 2003 server and then imported it into my 2010 server. The status shows as "The certificate is invalid for Exchange Server usage", but at the certificate the chain is "OK". I tried re-importing the root certs from the COMODO website, no joy. Also, I can use the EMS command "Enable-ExchangeCertificate certificate -services IIS" to assign it to the IIS service, browse the OWA webpage on the local machine (as I added the URL "mail.domain.com" of the cert to the hosts file on that system to resolve locally) and it works! I've also set the URLs on the Server Configuration/Client Access services (OWA, ECP..) to the cert domain (mail.domain.com), just in case it was complaining about that, no joy as well... :(

    Thanks all.

     

    Thursday, March 17, 2011 4:09 PM

All replies

  • How did you import it and where?

    What do the properties of the certificate say?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Thursday, March 17, 2011 6:36 PM
    Moderator
  • I imported it from the EMC (Server Configuration:Exchange Certificates)

    Properties? Gosh, like the Certificate Information? One of items from the Details tab (Version, Issuer Key Usage)? As mentioned the Certification Path shows as "OK".

    Thanks for your assistance.

    Of course I could probably simply reapply for the cert when I cutover to 2010, but it seems like this one should work? Plus I'd like to have less things to worry about during the cutover as I'm sure something will crop up.. :D

     

     

    Thursday, March 17, 2011 7:14 PM
  • Also, not sure if this is a clue, but the "certificate purposes" don't appear the same if I view the certificate properties from the production Exchange 2003 server vs the 2010 lab box.

    On the production server it show the purposes as:

    1.3.6.1.4.1.6449.1.2.1.3.4

    1.3.6.1.4.1.311.10.3.3

    2.16.840.1.113730.4.1

    But the cert on the lab server only shows:

    1.3.6.1.4.1.6449.1.2.1.3.4

    Also, under the Certificate Purposes on the certifcate for the production box, it shows  "1.3.6.1.4.1.311.10.3.3" and "2.16.840.1.113730.4.1" available (and both checked), but the same certificate of course on the lab box doesn't show those those at all.

    Hmmm...

    Thursday, March 17, 2011 10:03 PM
  • Hi glaviolette,

    Some information for you about exchange 2010 certificate:
    http://technet.microsoft.com/en-us/library/dd351044.aspx
    http://technet.microsoft.com/en-us/library/dd351183.aspx
    http://technet.microsoft.com/en-us/library/aa997231.aspx
    I would use get exchange certificate on the exchange 2010 cas server to confirm some information, and then check the url configure for the owa, ecp and so on.

    Regards!
    Gavin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, March 18, 2011 10:04 AM
  • How did you generate the certificate request?

    In the certificate properties, Details tab, does it show Server Authentication and Client Authentication in the Enhanced Key Usage property?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Saturday, March 19, 2011 3:38 AM
    Moderator
  • How did you generate the certificate request?

    In the certificate properties, Details tab, does it show Server Authentication and Client Authentication in the Enhanced Key Usage property?

    It was originally generated from my current Exchange 2003 box.

    Yes, it does show both Server Authentication and Client Authentication in the Enhanced Key Usage Property. Again, this is for the certificate that was exported (.pfx) from my live Exchange 2003 box and then imported into my Exchange 2010 lab.

    Also, for grins I created a self-signed cert (from the lab Cert Auth) for the same URL (mail.domain.com) and that shows as "valid for Exchange Server Usage". So.. given that I'm assuming the problem with my "real" cert isn't to do with the URL?

    This is starting to seem like I'll have to reapply for the cert from the TBD production Exchange 2010 box, which again adds to the pain of the whole process and seems like it should be totally unnecessary... :(

     

    Thanks all

     

    Monday, March 21, 2011 5:27 PM
  • I would use get exchange certificate on the exchange 2010 cas server to confirm some information, and then check the url configure for the owa, ecp and so on

    From the EMS I ran "Get-ExchangeCertificate |fl". The only item that seems suspect is the RootCAType is "Unknown" (vs "None" on my Federation key) and of course the Status is "invalid". But again, the cert in Certificate Manager looks perfect or at least identical to my working cert on my production 2003 box.

    I double checked the External URL on the Client Access services. Plus I ran the Configure External Client Access Domain "wizard" (right click Server Configuration:Client Access) as well.

    Monday, March 21, 2011 5:37 PM
  • Hi glaviolette,

    Could you please post the information that you got here,  we could do more research about it, you could use the "xxx" to instead the import words in the information.
    Per your description, the status of the cert you inmported into the exchange 2010 cas server is invalid, I suppose that it is not assigned to the services, right.
    Some information for you:
    http://technet.microsoft.com/en-us/library/dd351257.aspx

    Regards!
    Gavin

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, March 24, 2011 8:24 AM
  • How did you generate the certificate request?

    Hmm, the certificate (again, that was exported from my Exchange 2003 box) *might* not be a "UCC" certificate (which is necessary for Autodiscovery?), would that cause EMC from complaining that the certificate is "invalid for Exchange server use"? Is there a way to find out from the properties of the certificate if this is (or is not) a UCC cert?

    Thanks!

    Tuesday, March 29, 2011 7:51 PM
  • Hi glaviolette,

    As I requested for the detailed information about the CERT, then we could confirm the whether there are needed name for the new exchange 2010 server, If it is not a UCC CERT, it is not suggested to use it, because we maybe need more SAN in the CERT.
    Some information for you:
    http://technet.microsoft.com/en-us/library/dd351044.aspx
    If you still have some question, please fell free to let us know.

    Regards!
    Gavin
    TechNet Subscriber Supportin forum
    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, March 30, 2011 3:44 AM
  • Hello, I have not seen the resolution to this problem.

    My 2010 cert also shows up as INVALID. I do not see anything wrong with the cert.  THere were no errors when it was imported and IIS is enabled on the cert and it is in the Trusted Root.

    Any suggesting how to debug this?

     

    Thursday, July 21, 2011 11:42 PM