Self-Signing a Exchange 2010 certificate with a local ADS CA

Posted on 2010-01-08
Last Modified: 2012-06-22
I have an exchange 2010 server.  Please dont start with the "buy a request" because that is in the process with GoDaddy it just has to go through lots of hoops with authorization, and I need to test building a certificate,  etc.  This is being done as a temporary measure and to see if I need a UCC certificate because the server has a name of "exchsrv1" but the server itself has a CNAME and has been told to answer requests as "Exchange".   I want to create just an "Exchange" certificate.

Anyways, I go through the Exchange Management Console and I complete a Exchange SSL Certificate Request and it spits out this nice .req file.  Lets call it exchange.req.  

I take this file over to my Domain controller that is running the CA.  I then run "certreq" and specify that file I created "Exchange.req".   Then it almost immediately pops out:

Certificate Request Processor: ASN1 bad tag value met. 0x8009310b (ASN: 267)

And fails.

My limited research online has not shown any steps to create a cer out of a req for an exchange certificate and various certificates appear to need multiple types of processing.

Can someone help me?

Question by:umasscscf
    LVL 27

    Accepted Solution

    I've written an article for this exact scenario for Exchange 2007. I suspect the process will be the same for 2010.

    You may find some of the info helpful, see if you still get the same error with the routine from my instructions?

    LVL 74

    Expert Comment

    by:Glen Knight
    OK i wont go down the GoDaddy route because thats in process.

    I would however recommend a read of the solution here:

    i know its not directly answering your question but it might help.

    Also the names you shpuld be entering in your SAN certificate are: (used by Outlook 2007 for free/busy, OAB to name just 3) you will also need to create the A record in your external DNS (your owa URL)
    servernam.domainname.local (FQDN of your server)
    SERVERNAME (NETBIOS name of your server or i guess you could use your CNAME)

    whilst the aitodiscover can be circumvented if you wont be using Outlook Anywhere for $60 per year for a SAN/UCC certificate its not worth messing around.

    Author Comment

    Your document was excellent.  A slight caveat.  I had to go to the Exchange 2010 CSR creation tool page, which is:

    After using that tool, copying the key (which is output as text, you can't save it to a file any longer), and then saving the key, I was able to create the certificate.


    Author Closing Comment

    You need the exchange 2010 CSR creator page, which is :

    Then know to safe the certificate output to a file and then to run certreq on that.

    Otherwise the solution was excellent!
    LVL 27

    Expert Comment

    Glad I could help,


    Featured Post

    Free book by J.Peter Bruzzese, Microsoft MVP

    Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

    Join & Write a Comment

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
    The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now