?
Solved

thumbprint for certificate in Exchange 2007

Posted on 2009-02-12
11
Medium Priority
?
6,219 Views
Last Modified: 2012-05-06
I forgot to copy the thumbprint when the certificate request has been created.  Unfortunately, We've been doing the request a couple of times because Godaddy was asking to correct the information here and there.

So now when I run the get-exchangecertificate cmdlet I got 5 thumbprint.  I don'k know which one to pick to complete the process.  Does the last certificate request will be displayed at the top ?

Thanks
0
Comment
Question by:quadrumane
  • 5
  • 4
  • 2
11 Comments
 
LVL 3

Expert Comment

by:RandyReichert
ID: 23624061
Go into the certificates snap-in and look at the properties of each certificate. You can view the thumbprint in the properties. You can also see other properties that will help you in determining which is the certificate that is the appropriate one, such as: expiration/creation date, SAN info, etc...
0
 

Author Comment

by:quadrumane
ID: 23624465
Thanks, but the certificate is not installed, I only have the certificate request done.  So the only visible certificate is the default Exchange certificate (and this one will be removed once the Godaddy SAN certificate will be installed)
0
 
LVL 3

Assisted Solution

by:RandyReichert
RandyReichert earned 400 total points
ID: 23624492
Sorry, I guess I didn't read all the way to the end of your comment. I did a Get-ExchangeCertificate and the one at the top of the list is the one that is my current certificate. Hope that helps.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 65

Accepted Solution

by:
Mestha earned 1600 total points
ID: 23625202
If you have not completed the request then I don't think the certificate will show in Get-ExchangeCertificate.
Have you received the response from GoDaddy? If so then just run the import command.

Import-ExchangeCertificate -Path c:\SSL\result.pfx

(where the certificate result is in C:\SSL and is called result.pfx)

Once that has been done then it should be listed.

-M
0
 

Author Comment

by:quadrumane
ID: 23627262
Yes I've got the answer and I got the SAN certificate.  I used Import-ExchangeCertificate to import the certificate.  But now when I try to enable the services I get an error:

[PS] C:\Windows\System32>Enable-ExchangeCertificate -Thumbprint 86E6956244F7D10B
89FC0C2472766FE8CA3CF938 -Services "SMTP, IIS"
Enable-ExchangeCertificate : Service is not installed.
Parameter name: Services
At line:1 char:27
+ Enable-ExchangeCertificate  <<<< -Thumbprint 86E6956244F7D10B89FC0C2472766FE8
CA3CF938 -Services "SMTP, IIS"

The first time I tried to enable I have selected all services (IIS, SMTP, POP, IMAP) but as I don't need Pop and IMAP I tried to run the cmdlet with IIS et SMTP only from the CAS server where the certificate is now installed as you can see here (I replaced some information in this post for confidentiality purpose)

[PS] C:\Windows\System32>get-exchangecertificate

Thumbprint                                Services   Subject
----------                                --------   -------
86E6956244F7D10B89FC0C2472766FE8CA3CF938  IP...      CN=XXX, O=XXX...
FE6184E5F9E24AB2E723F67FB535DEE77F66B969  .....      C=CA, L=XXX S=XXX...
45C785DCD7279D8796C8E8D1A976556D3884CF03  .....      C=Canada, L=XXX, S...
E9D8664CF887E2187D2300582C13178B23BF169C  .....      C=CA, L=XXX S=XXX...
AAB0B8F031A49C27362F678513464E0E58544F85  .....      C=CA, L=XXX, S=XXX...

It seems that Imap and Pop have been enabled but this is not what I want of course.  

Thanks
0
 

Author Comment

by:quadrumane
ID: 23627379
Ok I can enable IIS but not SMTP.  The SMTP service is not installed on this server (each role is on a different server) I guess this is why it can be enabled.  If it's true, I don't understand why everywhere (books, blogs, Microsoft) there is no reference regarding this limitation.

Or maybe I'm just confused... ?

Thanks
0
 
LVL 65

Assisted Solution

by:Mestha
Mestha earned 1600 total points
ID: 23627502
Most books, blogs etc were probably done using a test system with all roles installed on the same server. If the server doesn't have Hub transport then there is no SMTP service, so you cannot enable it. Alas certificates seem to brushed over with most blogs, books etc, which is probably why my article is so popular.
http://www.sembee.co.uk/archive/2008/05/30/78.aspx

It would seem from the list that you haven't enabled IIS, the I is for IMAP. If IIS was enabled then W would be in the list.

-M
0
 

Author Comment

by:quadrumane
ID: 23627725
Yes IIS is enabled I just haven't sent the snapshot yet.  

86E6956244F7D10B89FC0C2472766FE8CA3CF938  IP.W.      CN=XXX, O=XXX...

I don't see anything about this problem in your article.  But it's addressing quite a few other issues.   Maybe you should add a topic on how to enable SMTP or any other services on the other server roles.  As far as I understand, I have to install the certificate on the SMTP server to enable the service.  But having SMTP is not required as far as I know in the SAN.  In every article and book I read all Subject alternatives names I've seen are concerning the CAS server along the hostname, domain name  and autodiscover.  

Thanks
0
 
LVL 65

Expert Comment

by:Mestha
ID: 23627791
I can count on one hand the number of deployments I have done where the roles have been separated. I compare it to the relative low use of frontend/backend scenario. Most deployments are a single server. My blog posting is aimed at those with a single server, because those deploying the more complex environments do not seem to need the assistance. I have been working with Exchange 2007 since release (before release when I was on an NDA) and this is the first question I can remember about certificates on the separate roles.

-M
0
 

Author Comment

by:quadrumane
ID: 23627957
There is always a first time for everything, including asking question about the certificates on the separate roles ;+)

We're working on a new forest.  This forest is not yet in production.  The environment is not that complex:
SITE A
2 HUB
2 CAS IN NLB
2 MAILBOX (SCR)

SITE B
1 EDGE
1 HUB
1 CAS
1 MAILBOX

3 ESX and 3 iSCSI SAN

I think we're sitting between complex and less complex environments.  We don't have any cluster, but resilience.  

Thanks



0
 
LVL 65

Expert Comment

by:Mestha
ID: 23628406
Anything above a single server could probably be considered complex for many people. Particularly now we have an SBS version with Exchange 2007.

-M
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Steps to fix error: “Couldn’t mount the database that you specified. Specified database: HU-DB; Error code: An Active Manager operation fail”
Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question