none
Problems creating exportable Exchange 2007 certificate & enabling it :( (Exchange2007<->NokiaE71) RRS feed

  • Вопрос

  • I try to create new exportable SSL certificate to install it on exchange 2007 & user's Nokia E71. I'm on Windows 2008 Standart. Installed Certification Authority Role & Certification Authority Web Enrollment, but can't access it with web browser,because there're some problems starting it on Windows 2008. I try to do it through mmc. Please help me to solve the problem! I'm new to this, so I copied all info from the certificate, that now works on Exchange 2007, but it's not exportable Sad What I do:

    Variant 1:

    Mmc
    Certificates
    Computer account
    Local computer
    Personal
    Certificates
    Click right button and choose all tasks
    Advanced operations
    Create custom request
    (No template)legacy key
    Pkcs#10
    Suppress default extentions unchecked
    Next

    Detailes
    Propeties

    General:
    Friendly name - Exchange 2007
    Description - blank

    Subject:
    Common name - Servername
    Alternative name - DNS - Servername
    Alternative name - DNS - Servername.domainname.local

    Extentions:
    Digital signature, Key encipherment
    Make there key usages critical - checked
    Extended key usage:
    Server Authentication
    Client Authentication
    Make the Extended key Usage critical uncheked
    Basic constraints, Include Symmetric algorithm,Custom extension definition - all unchecked

    Private Key:
    Cryptographic service provider - Microsoft Strong Cryptographic provider (Encryption)
    Key options:
    Key size - 2048
    Make private key exportable - checked
    Allow private key to be archived - unchecked
    Strong private key protection - unchecked
    Key type - Exchange
    Key permitions - Use custom permissions - unchecked

    OK
    Next
    File Name - 1 on drive C:
    File format Base 64
    Finish

    MMC
    Certification Authority
    Right click on domainname-Servername
    All tasks
    Submit new request
    Rename 1 to 1.req
    Choose it
    Get error: Certificate Request Processor: "
    The request contains no certificate template information.
    0x80094801 (-2146875391)
    Denied by Policy Module 0x80094801, The request does not
    contain a certificate template extention or the CertificateTemplate
    request attribute"


    Variant 2:

    Mmc
    Certificates
    Personal Certificates
    Right click
    All tasks
    Request new certificate
    Next
    COmputer box - checked
    Detailes
    Properties

    General,Subject,Extentions,Private Key - all the same as in my custom request

    Certification Authority:
    Certification Authority; Type Enterprise root CA
    domainname-Servername-CA box checked

    OK
    Enroll
    STATUSTongue Tieducceeded
    Finish

    So this new certificate is in Certificates(Local computer)->Personal->Certificates

    Now I open Exchange Management Shell
    Enable-ExchangeCertificate -Thumbprint 716fccb24de7fa7d4f2220b4fea88630c153685c -Services IMAP

    Get error:"
    Enable-ExchangeCertificate : The certificate with thumbprint 716fccb24de7fa7d4f2220b4fea88630c153685c was found but not valid for use with Exchange Server (reason: PrivateKeyNotAccessible).
    At line:1 char:27
    + Enable-ExchangeCertificate  <<<< -Thumbprint 716fccb24de7fa7d4f2220b4fea88630c153685c -Services IMAP"

    Sad((((((((((((((((((


    By the way, Nokia support told me, that my certificate should be in P12 format, so plz tell me if I'm doing smth wrong in that case also.

     

    • Перемещено Hengzhe Li 18 марта 2012 г. 5:21 forum merge (От:Exchange Server 2007)
    23 октября 2008 г. 7:39

Все ответы

  • Thanks for the article. When I try to create the certificate through Exchange power shell"

     

    New-ExchangeCertificate -DomainName mail.domainname.com -SubjectName "c=en,o=Company name, cn=mail.domainname.com" -PrivateKeyExportableEmbarrassedTrue -GenerateRequestEmbarrassedTrue -Path "C:\Certificates\CertRequest.req")

     

    I get this error:

     

    New-ExchangeCertificate : Either you cannot overwrite the output file C:\Certificates\CertRequest.req because it is set to read-only or you have insuffident permissions to create this certificate request.
    At line:1 char:24
    + New-ExchangeCertificate  <<<< -DomainName mail.domainname.com -SubjectName "c=en,
    o=Company name, cn=mail.domainname.com" -PrivateKeyExportableEmbarrassedTrue -GenerateRequestEmbarrassedTrue -Path "C:\Certificates\CertRequest.req"

     

    I tried to resolve it & found this article:http://forums.msexchange.org/m_1800484576/printable.htm

    But it didn't work for me.

     

    In Windows 2008 I have only

    C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

    C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys

    C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys

     

    I gave full control to My user(which is enterprise & exchange admin), administrators & network service.

    I also gave full control to folder C:\Certificates & didn't forget to change the setting from "this folder only" to "this folder, subfolders and files" for all folders above. Deleted empty CertRequest.req in C:\Certificates.

     

    And get the same error!!! Sad(( Can someone tell me, what should I do to fix it? Or maybe it can be done somehow from the gui?

     

    By the way, I noticed that all folders are marked read only, but files in there are not. When I uncheck read only and press ok & open properties of folder again it's read only again! Sad I'm close to givin' it up!!!!!!!!!!!!! Sad(((((((((((((((

    23 октября 2008 г. 11:05