Problems creating exportable Exchange 2007 certificate & enabling it :( (Exchange2007<->NokiaE71) RRS feed

  • Вопрос

  • I try to create new exportable SSL certificate to install it on exchange 2007 & user's Nokia E71. I'm on Windows 2008 Standart. Installed Certification Authority Role & Certification Authority Web Enrollment, but can't access it with web browser,because there're some problems starting it on Windows 2008. I try to do it through mmc. Please help me to solve the problem! I'm new to this, so I copied all info from the certificate, that now works on Exchange 2007, but it's not exportable Sad What I do:

    Variant 1:

    Computer account
    Local computer
    Click right button and choose all tasks
    Advanced operations
    Create custom request
    (No template)legacy key
    Suppress default extentions unchecked


    Friendly name - Exchange 2007
    Description - blank

    Common name - Servername
    Alternative name - DNS - Servername
    Alternative name - DNS - Servername.domainname.local

    Digital signature, Key encipherment
    Make there key usages critical - checked
    Extended key usage:
    Server Authentication
    Client Authentication
    Make the Extended key Usage critical uncheked
    Basic constraints, Include Symmetric algorithm,Custom extension definition - all unchecked

    Private Key:
    Cryptographic service provider - Microsoft Strong Cryptographic provider (Encryption)
    Key options:
    Key size - 2048
    Make private key exportable - checked
    Allow private key to be archived - unchecked
    Strong private key protection - unchecked
    Key type - Exchange
    Key permitions - Use custom permissions - unchecked

    File Name - 1 on drive C:
    File format Base 64

    Certification Authority
    Right click on domainname-Servername
    All tasks
    Submit new request
    Rename 1 to 1.req
    Choose it
    Get error: Certificate Request Processor: "
    The request contains no certificate template information.
    0x80094801 (-2146875391)
    Denied by Policy Module 0x80094801, The request does not
    contain a certificate template extention or the CertificateTemplate
    request attribute"

    Variant 2:

    Personal Certificates
    Right click
    All tasks
    Request new certificate
    COmputer box - checked

    General,Subject,Extentions,Private Key - all the same as in my custom request

    Certification Authority:
    Certification Authority; Type Enterprise root CA
    domainname-Servername-CA box checked

    STATUSTongue Tieducceeded

    So this new certificate is in Certificates(Local computer)->Personal->Certificates

    Now I open Exchange Management Shell
    Enable-ExchangeCertificate -Thumbprint 716fccb24de7fa7d4f2220b4fea88630c153685c -Services IMAP

    Get error:"
    Enable-ExchangeCertificate : The certificate with thumbprint 716fccb24de7fa7d4f2220b4fea88630c153685c was found but not valid for use with Exchange Server (reason: PrivateKeyNotAccessible).
    At line:1 char:27
    + Enable-ExchangeCertificate  <<<< -Thumbprint 716fccb24de7fa7d4f2220b4fea88630c153685c -Services IMAP"


    By the way, Nokia support told me, that my certificate should be in P12 format, so plz tell me if I'm doing smth wrong in that case also.


    • Перемещено Hengzhe Li 18 марта 2012 г. 5:21 forum merge (От:Exchange Server 2007)
    23 октября 2008 г. 7:39

Все ответы

  • Thanks for the article. When I try to create the certificate through Exchange power shell"


    New-ExchangeCertificate -DomainName -SubjectName "c=en,o=Company name," -PrivateKeyExportableEmbarrassedTrue -GenerateRequestEmbarrassedTrue -Path "C:\Certificates\CertRequest.req")


    I get this error:


    New-ExchangeCertificate : Either you cannot overwrite the output file C:\Certificates\CertRequest.req because it is set to read-only or you have insuffident permissions to create this certificate request.
    At line:1 char:24
    + New-ExchangeCertificate  <<<< -DomainName -SubjectName "c=en,
    o=Company name," -PrivateKeyExportableEmbarrassedTrue -GenerateRequestEmbarrassedTrue -Path "C:\Certificates\CertRequest.req"


    I tried to resolve it & found this article:

    But it didn't work for me.


    In Windows 2008 I have only





    I gave full control to My user(which is enterprise & exchange admin), administrators & network service.

    I also gave full control to folder C:\Certificates & didn't forget to change the setting from "this folder only" to "this folder, subfolders and files" for all folders above. Deleted empty CertRequest.req in C:\Certificates.


    And get the same error!!! Sad(( Can someone tell me, what should I do to fix it? Or maybe it can be done somehow from the gui?


    By the way, I noticed that all folders are marked read only, but files in there are not. When I uncheck read only and press ok & open properties of folder again it's read only again! Sad I'm close to givin' it up!!!!!!!!!!!!! Sad(((((((((((((((

    23 октября 2008 г. 11:05