Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4844
  • Last Modified:

Self-Signing a Exchange 2010 certificate with a local ADS CA

I have an exchange 2010 server.  Please dont start with the "buy a request" because that is in the process with GoDaddy it just has to go through lots of hoops with authorization, and I need to test building a certificate,  etc.  This is being done as a temporary measure and to see if I need a UCC certificate because the server has a name of "exchsrv1" but the server itself has a CNAME and has been told to answer requests as "Exchange".   I want to create just an "Exchange" certificate.

Anyways, I go through the Exchange Management Console and I complete a Exchange SSL Certificate Request and it spits out this nice .req file.  Lets call it exchange.req.  

I take this file over to my Domain controller that is running the CA.  I then run "certreq" and specify that file I created "Exchange.req".   Then it almost immediately pops out:

Certificate Request Processor: ASN1 bad tag value met. 0x8009310b (ASN: 267)

And fails.

My limited research online has not shown any steps to create a cer out of a req for an exchange certificate and various certificates appear to need multiple types of processing.

Can someone help me?
Thanks
David




0
umasscscf
Asked:
umasscscf
  • 2
  • 2
1 Solution
 
shauncroucherCommented:
I've written an article for this exact scenario for Exchange 2007. I suspect the process will be the same for 2010.

You may find some of the info helpful, see if you still get the same error with the routine from my instructions?

http://exchangeshell.wordpress.com/2009/09/20/create-ucc-san-private-ca-issued-certificate-to-replace-self-signed-certificate-exchange-2007

Shaun
0
 
Glen KnightCommented:
OK i wont go down the GoDaddy route because thats in process.

I would however recommend a read of the solution here: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23824495.html

i know its not directly answering your question but it might help.

Also the names you shpuld be entering in your SAN certificate are:

autodiscover.domainname.com (used by Outlook 2007 for free/busy, OAB to name just 3) you will also need to create the A record in your external DNS
owa.domainname.com (your owa URL)
servernam.domainname.local (FQDN of your server)
SERVERNAME (NETBIOS name of your server or i guess you could use your CNAME)

whilst the aitodiscover can be circumvented if you wont be using Outlook Anywhere for $60 per year for a SAN/UCC certificate its not worth messing around.
0
 
umasscscfAuthor Commented:
Your document was excellent.  A slight caveat.  I had to go to the Exchange 2010 CSR creation tool page, which is:
https://www.digicert.com/easy-csr/exchange2010.htm

After using that tool, copying the key (which is output as text, you can't save it to a file any longer), and then saving the key, I was able to create the certificate.

David
0
 
umasscscfAuthor Commented:
You need the exchange 2010 CSR creator page, which is : https://www.digicert.com/easy-csr/exchange2010.htm

Then know to safe the certificate output to a file and then to run certreq on that.

Otherwise the solution was excellent!
0
 
shauncroucherCommented:
Glad I could help,

Shaun
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now