none
Seriously messed up certificate utilities in Exchange 2010 RC

    Question

  • I am trying to install a .crt file that I received from GoDaddy.  I don't think I need any help, but I just want to express that I think Exchange
    2010 still has a ways to go in the way it handles certificates.  For instance, at the present time, we have the following:

     * the Get-ExchangeCertificate command returns nothing.
    * There is a certificate shown in the certificates mmc. 
    * There are no certificates shown in the Exchange Management Console
    *  Running certutil  -repairstore my "XXXXXXX" returns "Cannot find the certificate and private key for decryption"
    *  Attempting to enable the certificate shown in the mmc results in "The certificate was not found."
    *  Trying to import the certificate via the GUI wizard insists on a password, which crt files do not have.
    * Trying to import the certificate with import-exchangeCertificate ...many long arguments...  results in "The source data is corrupted or not properly Base64 encoded"
    This is apparently a known bug one is supposed to ignore, except that the cert doesn't actually get imported.

    So, basically, maximum chaos, with Exchange both being difficult to use and contradicting itself all over the place.
    Any comments?


    Harold Naparst
    Monday, September 28, 2009 8:02 PM

Answers

  • Perfect, so all your answers are here http://msexchangeteam.com/archive/2007/02/19/435472.aspx  :)

    you should only need to Import-ExchangeCertificate -Path c:\certificates\newcert.cer or maybe Import-ExchangeCertificate -Path c:\certificates\newcert.crt

    but this must be done on the same machine the the request was done on. 

    but read this post it is very good
    • Marked as answer by fscefwcx Tuesday, September 29, 2009 8:06 PM
    Tuesday, September 29, 2009 8:00 PM

All replies

  • Exchange aside, it looks like the local machine cannot even see the cert and if the machine cannot see it Exchange won't.

    Looking at the cert in MMC, does it look OK? trusted and have the private key?

    Is it also in the local computer container?

    Also I am aware of the Base64 error you are refering to and I don't think this is the same as your error mentions curruption (ie is cannot read it)

    Here is the technet article for importing Exchange certificates, note that Exchange imports .pfx files

    http://technet.microsoft.com/en-us/library/dd351183(EXCHG.140).aspx

    Bottom line I thinnk you have not got a working cert yet on that machine or a pfx file you can impport with the wizard





    Monday, September 28, 2009 11:47 PM
  • You are certainly correct.  In mmc, the little icon of the cert does not have the gold key.
    Double clicking on the cert in the mmc shows that it is OK and the chain to the root is OK.

    How do you get a private key or a pfx file?
    Harold Naparst
    Tuesday, September 29, 2009 5:32 AM
  • I have been trying to find a good article to show step by step process but it is not my day it seems.

    I think you arerequest) ok as you are ge generating the CSR (tting back the cert bundle from godaddy with a crt.

    But you need to copy the contents of the crt into notepad then go back to where you created the request and complete the process which will involve you pasting the CRT into the wizard.

    Failing that contact there support this is generally not hard and everyone of there customers (using Windows) will need to do it so I hope they have some instructions!!
    Tuesday, September 29, 2009 11:18 AM
  • Or maybe even better option, you could delete that cert in the store and request a new on from Godaddy but this time use the Exchange Wizard to request it.
    Tuesday, September 29, 2009 11:21 AM
  • The problem is that Godaddy only gives out .crt files, not .pfx files, so the CSR doesn't make a difference.
    Correct me if I am wrong (I probably am).


    Harold Naparst
    Tuesday, September 29, 2009 11:23 AM
  • I won't say your wrong :)

    There is two steps to the process, you request the cert from godaddy which gets your the CSR which you give to godaddy, then godaddy give you the crt which is not the final cert. You then have to complete the process of (from memory) copying the contents of the crt using notepad and pasting it into the pending certificate wizard.

    this will generate the actual certificate with private key, you can then backup the cert by exporting it with private ket, creating a pfx file.

    I wish I could find a step by step doc.

    take a look at this, it should help join the dots http://help.godaddy.com/article/4801
    Tuesday, September 29, 2009 11:32 AM
  • You then have to complete the process of (from memory) copying the contents of the crt using notepad and pasting it into the pending certificate wizard.


    So this is the part I am not familiar with.  Which certificate wizard do you mean?  Is this something at Godaddy, Exchange, or mmc?


    Harold Naparst
    Tuesday, September 29, 2009 12:08 PM
  • How did you create the request in the first place? is will be in the same place
    Tuesday, September 29, 2009 12:27 PM
  • Here is Godaddy's response:

    Thank you for contacting online support.

    Please note that we do not provide .PFX files. These are generated by combining the certificate file which we provide (.CER or .CRT) with the Private Key (usually .PVK) present on your server. Unfortunately, we cannot assist with the conversion of this file, and you will need to reseach the method for doing this using your favorite search engine. We thank you for your understanding in this matter.

    Please let us know if we can help you in any other way.


    Harold Naparst
    Tuesday, September 29, 2009 7:32 PM
  • Wonderfully helpful.

    So please tell me how you generated your first request that you sent to Godaddy
    Tuesday, September 29, 2009 7:42 PM
  • New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=contoso,o=Contoso Corporation,cn=exchange.contoso.com" -domainname CAS01,CAS01.exchange.corp.constoso.com,exchange.contoso.com, ,autodiscover.contoso.com -PrivateKeyExportable:$true -path c:\certrequest_cas01.txt
    Harold Naparst
    Tuesday, September 29, 2009 7:52 PM
  • Perfect, so all your answers are here http://msexchangeteam.com/archive/2007/02/19/435472.aspx  :)

    you should only need to Import-ExchangeCertificate -Path c:\certificates\newcert.cer or maybe Import-ExchangeCertificate -Path c:\certificates\newcert.crt

    but this must be done on the same machine the the request was done on. 

    but read this post it is very good
    • Marked as answer by fscefwcx Tuesday, September 29, 2009 8:06 PM
    Tuesday, September 29, 2009 8:00 PM
  • Thanks for your help!

    When you have the certificate, with the associated key pair, on a server, make sure you make a PFX file for backup. Use the Certificate Manager in MMC for this. Right-click the certificate, click Export, and follow the wizard. You want to create a PFX file, with the keys (which you'll have to provide a password for). Do not enable strong key protection.


    Harold Naparst
    Tuesday, September 29, 2009 8:07 PM
  • NP good luck

    Tuesday, September 29, 2009 8:09 PM
  • There are bit changes in Exchange 2010 importing certificate cmdlets because it uses remote powershell and it requires special method to import/export files to remote server over the remote powershell...

    Understanding Importing and Exporting Files in the Exchange Management Shell

    If you are looking for importing cer/pfx certificates in EMS then here are handy cmdlets for Exchange 2010...

    Exchange 2010 RC Certificate ( Generate, Import & Enable )



    Amit Tank | MVP – Exchange Server | MCITP: EMA | MCSA: M | http://ExchangeShare.WordPress.com

    • Proposed as answer by PT-Dresden Thursday, January 14, 2010 9:10 PM
    Wednesday, September 30, 2009 6:19 AM
  • appreciate all the helpful PowerShell import steps

    The point is that the EMC isn't very intuitive since you use the GUI to create the .reg file but then there is no simple 'click to' linked wizrd to then do something with the obtained .crt from GoDaddy.

    It's not simple at all to tell someone to know PowerShell commands that won't work with Exchange but infrequently.  Is there a handy link to take you to a help section detailing this PowerShell script?  nope  Instead there is this wizard that doesn't use CRT files at all but is titled Import Exchange Certificate.  Very frustratingly inadequate  ..this is why the author and now myself are browsing around looking for answers in this forum.

    It takes a lot of wasted time going on a discovery for basic info that is entirely unnecessary if the GUI design team would put themselves into the shoes of the intended users so to make it exhaustively susinct.  This is why using an intuitive interface is what is expected and will be happily received by administrators everywhere once it gets honed IMHO.

    *edit*  now later I have discoverd that when I completed the New Certificate wizard a place holder of that cert request was added inside the adjacent certificates table.  Once you have your .cer or .crt file you merely click on that placeholder and then run the "complete pending request" to actually and simply import this file.  Subsequently then on the right column of links select 'assign services to certificate' as desired.

     


    Dale Unroe
    Tuesday, February 22, 2011 1:57 AM