• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1576
  • Last Modified:

Still struggling with installing Basic SSL cert on Exchange 2007

I had asked a previous question of Mestha about this issue.  I had to go ahead and close the post and award points because I was running out of time and didn't have time to fully go through his walkthrough and test everything.

However, I have finally found a little bit of breathing room to sit down and start testing some of this.  Here is where I am at currently.

I had received the Basic SSL cert (and 3 others: AddTrustExternalCARoot.crt, etc.)from a 3rd party a few weeks ago, but done nothing with the certs...........just put them in a folder on the hard drive.  After reading through Mestha's walkthrough, I got to the point (Step 3) of importing the cert into IIS.  This is what I have done so far........I opened PowerShell and ran the command Import-ExchangeCertificate -Path "examplecertificate.crt"
After typing in this command, I correctly received a thumbprint, with nothing listed under Services, and the correct Subject.

However, after that I tried running the command Enable-ExchangeCertificate <thumbprint> -Services: "IIS"
I receive the following error:

Enable-ExchangeCertificate : The certificate with thumbprint #################### was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate  <<<< ##################### -Services: "IIS"

I am all kinds of lost at installing this Basic Cert.  All I need is to have OWA protected.  Any advice?
Thanks.
0
david_greer
Asked:
david_greer
  • 12
  • 7
2 Solutions
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
As the error message says, the private key is missing. Did you request the cert using iis?
As this is Exchange 2007, you do not use IIS to request and process the SSL request. It needs to be done through the Exchange Management Shell.

You really need a SAN/UC certificate, not a single name certificate for Exchange to work correctly.
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
0
 
david_greerAuthor Commented:
Okay, let me go back a little bit in time.  This certificate was not requested through IIS or PS.  We went to Network Solutions, filled out the information for a Basic SSL, paid and received a link about 3 days later that the cert was ready to download.  After that, we just went to their website, logged in and downloaded the certs to to the server.  This may be where a lot of our problems are stemming from.  There was never a .cer request file involved.  If we start this over from scratch requesting to reissue the cert (doing it the correct way through PS), they will not have to charge us again will they?  We purchased the cert for 4 years to autorenew.

Also, regarding the SAN/UC...........I understand why many people are telling me that I need this.  However, the only service we will be using is OWA.  We will not be using Outlook Anywhere, ActiveSync, and we have very few clients running Outlook 2007.  Is it not acceptable to run a basic cert under these circumstances?
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
david_greerAuthor Commented:
Okay.  This is getting very frustrating.  I'm sure it doesn't help that I do not have a background using security certificates, but I called up the hosting provider, and told them the situation (again).  They said that I needed to have the certificate re-issued.  I clicked on their link to reissue, and filled out the same information that I did last time and submitted on their site.  However, this still leaves me curious about the .csr request that I have made on my server through PowerShell.  Is filling out the form on their site for the certificate the same as generating a .csr on the server????
I'm beyond confused and ready to pull my hair out.  And it doesn't help that they do not know anything about Exchange 2007..........they keep referring back to IIS, even though I have tried to explain to them that Exchange 2007 doesn't use IIS anymore for certificate requests and installs, that it uses PowerShell.  The 2 tech reps I have talked to so far do not even know what PowerShell is.
0
 
david_greerAuthor Commented:
Just wanted to throw this in here...........
I went to PowerShell and ran this command: Get-ExchangeCertificate | List
and received the following:

----trimmed down------

HasPrivateKey:True
IsSelfSigned:True
PublicKeySize:2048
RootCAType:Unknown
Services:None
Status:Invalid
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
OK! First of all, let me list the options for you.

1. The above certificate that you received while running Get-ExchangeCertificate | List is the one that Exchange server generates as part of the installation. It is not trusted by any browsers. But, you can still use it, if you are only using it for OWA. You will get a error message when you use it, saying that the security certificate is not valid and is not safe to continue. But, you will have a link to "Continue anyway" and you can use OWA.

2. The reason for using commercial certificate, even for OWA, is that it is trusted by all major browsers and hence you won't get any certificate errors which may not look professional for your company. Adn most of the time non-IT staff will be confused with the error message.

3. If you still want to use your self signed cert, you need to enale it for the necessary services like smtp & iis, in your case.

4. Outlook Anywhere and ActiveSync will not work properly without a SAN/UCC certificate and is not supported by MS. Though you can make it work, it involves a hell lot of work!

5. If you only want to have a single name cert for OWA, you still need a csr. Check https://www.digicert.com/csr-creation.htm for more info.

Rajith.
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Use this template from DIgicert to get your Powershell command to get a CSR

https://www.digicert.com/easy-csr/exchange2007.htm  Leave subject alternative names blank if you don't want a san/ucc cert. Once you will all the details, it will generate a powershell command for you. Copy and run it from your exchange server (cas server, if you have many roles). Once the command is run, go to the location where the csr file is generated (it will be in the end of the powershell command that you run), open it in notepad and copy/paste in an email and send it to your company who will then issue the cert.

Rajith.
0
 
david_greerAuthor Commented:
Rajith,
Thank you for your comments and help.  Actually, I did go to digicert and used to template to create the PS commands and then ran it in PowerShell successfully.  I have saved the .csr file.  However, one thing I am confused on is this...............I called the hosting provider and we decided to just reissue the ssl cert.  However, this is the 2nd time that when I request the certificate, nothing is ever mentioned about a .csr file (even the original very first time I requested the cert).  They have me fill out a form on their website, asking me questions about the company, friendly name on certificate, etc., and that's it.  After a little while, I receive an email confirming that the certificate is ready to download.  I'm confused...........I thought I had to send them a .csr file?  

Also, just to clarify my previous post about Get-ExchangeCertificate | List...............I actually had 2 listings, as below:

(1)
HasPrivateKey:True
IsSelfSigned:True
PublicKeySize:2048
RootCAType:Unknown
Services:None
Status:Invalid

(2)
HasPrivateKey:True
IsSelfSigned:True
PublicKeySize:2048
RootCAType:None
Services:IMAP, POP, SMTP
Status:Valid

I only listed the 1st one in the last post,  because it is the invalid certificate.  I think the 2nd one is the actual one that Exchange generated during installation.
0
 
david_greerAuthor Commented:
Okay, I may have some insight now to what has been causing *part* of the problem anyway.  I finally got ahold of a tech rep who explained things to me and knew what he was doing.  He said that the reason we never had to provide a .csr file, was because the option was chosen that they were the hosting providers, instead of another hosting provider (that makes sense now............).  He said that once we went in and reissued the certificate, and choose ANOTHER hosting provider, then the option would be available to upload the .csr file.
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
Oh! A setting in their request webpage??

Anyway, you are not bound to get the cert from your own hosting provider. Any company like Digicert, Comodo can issue you a cert. Digicert is very hepful, with all the built-in tools to generate a csr and request it all by using their website.

Rajith.
0
 
david_greerAuthor Commented:
Yes, it is a setting on their request page when you buy or reissue..............last question asks if they are the hosting provider or another hosting provider.  I'm almost 100% sure we choose ANOTHER hosting provider, but at any rate, they show it as being themselves.  According to the tech rep, that is why it never asked for a .csr.  Does that make sense?

Well........i guess hindsight is 20/20.  At any rate, we have already purchased through them, and paid up for 4 years, so I'm pretty much stuck having to get it working through them.  It's been a learning experience though.
0
 
david_greerAuthor Commented:
Ok, I think I am beginning to make a little bit of progress.  I was finally able for the first time to submit a .csr file to them.  This is the .csr file that I generated using PowerShell (through the digicert template).  I'm on a waiting process now for them to validate and return the certificate to me.

What will my next steps be when I receive the certificate?  Will I need to import it in through PowerShell, and if so, is there a particular syntax I need to use such as for the services, etc?  Also, will there be anything that I need to do through going into MMC - Certificates?
0
 
Rajith EnchiparambilOffice 365 & Exchange ArchitectCommented:
You need to use Powershell to import it.

import-exchangecertificate -path c:\....

Run get-exchangecertificate and copy the thumprint, which needs to be used in the next command.

enable-exchangecertificate -thumprint thumprint -services "IIS,SMTP,POP,IMAP"

It will ask you as to whether you want to overwrite the default certificate. Say Yes.
0
 
david_greerAuthor Commented:
Okay, update this morning.  I received an email over the weekend saying that the reissued certificate was ready to download.  This morning, I went to the website and downloaded the .zip file containing the different .crt files to the C: directory.

I then proceeded to run the following command:
Import-ExchangeCertificate -Path (Path to certificate .crt file)
I then received output that it evidently imported, but showed all dots for Services.

I then copied the thumbprint I received from that output, and then proceeded to run the following command:
Enable-ExchangeCertificate -thumbprint ####################### -Services IIS

and now, I am receiving the same error output:
Enable-ExchangeCertificate : The certificate with thumbprint ################was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).

Am I missing something?
0
 
david_greerAuthor Commented:
I found this article while researching my error
http://technet.microsoft.com/en-us/library/cc535024.aspx

So, when trying the above steps, the certutil gives me back the following error:

CertUtil: -repairstore command FAILED: 0x8010001d (-2146435043)
CertUtil: The Smart card resource manager is not running.

I'm completely lost
0
 
david_greerAuthor Commented:
Okay, I have noticed one thing.............

When I run the Get-ExchangeCertificate...............I have 2 thumbprints that show up.......however, neither one are the thumbprint of the cert that I originally imported this morning.

When I ran the Import-ExchangeCertificate this morning, I did not get any errors on the command, and it gave me the resulting thumbprint with all dots for services.  However, this particular thumbprint does not show up when I run the command Get-ExchangeCertificate.

Any ideas?  Do I need to be doing anything through MMC in the certificate snap-in?  Should anything be listed there under Personal certificates?
0
 
david_greerAuthor Commented:
Have you abandoned me Rajith?  
I went ahead and re-issued the certificate again this morning, as doing a little deeper digging in this, I do not think the key sizes matched (the .csr was 2048; but the certificate was 1024)
I also deleted the old .csr request from the MMC snap-in - Certificate Enrollment Request folder.  When I ran the New-ExchangeCertificate command, it automatically created a new request in the MMC snap-in Certificate Enrollment Request folder.  However, I'm just curious...................should this new csr in the snapin, when I look at the General tab, say "The integrity of this certificate cannot be guaranteed.  The certificate may be corrupted or may have been altered."?
0
 
david_greerAuthor Commented:
Okay.  I figured this out.  The key sizes weren't matching all along.  That is what was causing the error.  When I generated the csr through digicert, it was 2048.  However, when they sent me the certificate, it was 1024.  When I changed the csr to match the 1024, everything worked like a charm.  I should have thought to look at this earlier.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 12
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now