Solved

Exchange 2007 Powershell command for SAN Certiifcate Request Generation

Posted on 2010-09-07
14
409 Views
Last Modified: 2012-05-10
Hi Guys,
We are working on to get a new Verisign SAN Certificate for one of our exchange servers in one of our domain.
Need to verify something related to generating a SAN certificate.

We are using this command to generate the request file, where in we are including the SANs.

New-ExchangeCertificate -GenerateRequest:$true -DomainName eurmail.domain.com, eur-htr1.eur.domain.com, eur-htr2.eur.domain.com, eur-htr.eur.domain.com, Autodiscover.domain.com -PrivateKeyExportable:$true –keysize 1024 –subjectname “c=US o=XYZ Inc, CN=eurmail.domain.com” –Friendlyname eurmail.domain.com -Path C:\certnew.req

Now the command runs fine and the request file is getting generated. The confusion we have is when we run the Get-ExchangeCertificate | fl command we get the following output

Along with my existing internal cert details, I am getting this :

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {eurmail.domain.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
NotAfter           : 08.09.2011 01:42:45
NotBefore          : 07.09.2010 19:42:45
PublicKeySize      : 1024
RootCAType         : Unknown
SerialNumber       : 7xxxxx….xxxxxx….3
Services           : None
Status             : Invalid
Subject            : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
Thumbprint         : Bxxxx….xxxxx….xxxxx….7

My only worry and cause of confusion here I sthat I am not seeing the SAN names in the CertificateDomains field.

Are we generating this certificate request correctly???
Shouldn’t the CertificateDomain show the SUN names too??

Please suggest and help.
0
Comment
Question by:amku03
14 Comments
 
LVL 32

Expert Comment

by:endital1097
ID: 33620637
you need to send the request to a 3rd party ca and then run the import-exchangecertificate cmdlet with the cert they provide
0
 
LVL 5

Expert Comment

by:duraswitch
ID: 33620675
Yes, the CertificateDomains filed, should contain all the domains.

I compared your New-ExchangeCertificate command to the one we used.  They are very similar, the only difference is that we didn't limit the keysize.  Maybe try taking that off (if you can) and also try the -force option, just to make sure you're overwriting any existing certificate request files.
0
 

Author Comment

by:amku03
ID: 33620785
Yes, i understand that we need to send this to Verisign :)

0
 

Author Comment

by:amku03
ID: 33620820
duraswitch...thanks for your input...

Isn't the key size related to the encryption stuff...etc.
can you share your command where you have used the option -Force??

Thats will be of great help!
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33620836
you won't see this certificate listed until you run the import-exchangecertificate cmdlet

yes, key size is related to encryption level which a lot of ca's are now requiring 2048
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33620931
Did you try this yet instead of trying powershell ?

www.u-btech.com/products/certificate-manager-for-exchange-2007.html
0
 

Author Comment

by:amku03
ID: 33621009
endital ... i agree that this new certificate request should not get listed unless we import it.
However after running this powershell and just for teh sake of checking certs, I am getting the details of the new requested cert...
thats where i am getting concerned and confused at the same time.

We are generating a .req file is that fine or do we need to have a .CSR file?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 32

Expert Comment

by:endital1097
ID: 33621040
the file name can be anything
exchange won't recognize the certificate until it is imported and there is a private key assoicated with it
0
 

Author Comment

by:amku03
ID: 33621060
ok....so I am assuming that the command which we are using will include the Subject alternative names which for some reasons are not getting displayed in the CertificateDomains...

I just wanted to make sure that we are submitting the correct request with full intended information to get us a correct SAN cert.
0
 

Author Comment

by:amku03
ID: 33621087
In addition to that...i am still curious on from where is the exchange pulling in the infomation on the certificate request information ..... like this:


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {eurmail.domain.com}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
NotAfter           : 08.09.2011 01:42:45
NotBefore          : 07.09.2010 19:42:45
PublicKeySize      : 1024
RootCAType         : Unknown
SerialNumber       : 7xxxxx….xxxxxx….3
Services           : None
Status             : Invalid
Subject            : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
Thumbprint         : Bxxxx….xxxxx….xxxxx….7
0
 
LVL 32

Accepted Solution

by:
endital1097 earned 500 total points
ID: 33621093
yes, your request looked good
the first domain name listed matched the subject name too (which if it doesn't can cause issues)
0
 

Author Comment

by:amku03
ID: 33621105
so the request file will have my other domain names in it which eventually are not showing in here...
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33621176
yes, and if you were to have any issues with the certificate the ca gives you time to correct
0
 

Author Comment

by:amku03
ID: 33621203
Thanks all...
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Suggested Solutions

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now