asked on
Exchange 2007 Powershell command for SAN Certiifcate Request Generation
Hi Guys,
We are working on to get a new Verisign SAN Certificate for one of our exchange servers in one of our domain.
Need to verify something related to generating a SAN certificate.
We are using this command to generate the request file, where in we are including the SANs.
New-ExchangeCertificate -GenerateRequest:$true -DomainName eurmail.domain.com, eur-htr1.eur.domain.com, eur-htr2.eur.domain.com, eur-htr.eur.domain.com, Autodiscover.domain.com -PrivateKeyExportable:$tru
Now the command runs fine and the request file is getting generated. The confusion we have is when we run the Get-ExchangeCertificate | fl command we get the following output
Along with my existing internal cert details, I am getting this :
AccessRules : {System.Security.AccessCon
CertificateDomains : {eurmail.domain.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
NotAfter : 08.09.2011 01:42:45
NotBefore : 07.09.2010 19:42:45
PublicKeySize : 1024
RootCAType : Unknown
SerialNumber : 7xxxxx….xxxxxx….3
Services : None
Status : Invalid
Subject : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
Thumbprint : Bxxxx….xxxxx….xxxxx….7
My only worry and cause of confusion here I sthat I am not seeing the SAN names in the CertificateDomains field.
Are we generating this certificate request correctly???
Shouldn’t the CertificateDomain show the SUN names too??
Please suggest and help.
We are working on to get a new Verisign SAN Certificate for one of our exchange servers in one of our domain.
Need to verify something related to generating a SAN certificate.
We are using this command to generate the request file, where in we are including the SANs.
New-ExchangeCertificate -GenerateRequest:$true -DomainName eurmail.domain.com, eur-htr1.eur.domain.com, eur-htr2.eur.domain.com, eur-htr.eur.domain.com, Autodiscover.domain.com -PrivateKeyExportable:$tru
Now the command runs fine and the request file is getting generated. The confusion we have is when we run the Get-ExchangeCertificate | fl command we get the following output
Along with my existing internal cert details, I am getting this :
AccessRules : {System.Security.AccessCon
CertificateDomains : {eurmail.domain.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
NotAfter : 08.09.2011 01:42:45
NotBefore : 07.09.2010 19:42:45
PublicKeySize : 1024
RootCAType : Unknown
SerialNumber : 7xxxxx….xxxxxx….3
Services : None
Status : Invalid
Subject : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
Thumbprint : Bxxxx….xxxxx….xxxxx….7
My only worry and cause of confusion here I sthat I am not seeing the SAN names in the CertificateDomains field.
Are we generating this certificate request correctly???
Shouldn’t the CertificateDomain show the SUN names too??
Please suggest and help.
Exchange
Last Comment
amku03
you need to send the request to a 3rd party ca and then run the import-exchangecertificate
Yes, the CertificateDomains filed, should contain all the domains.
I compared your New-ExchangeCertificate command to the one we used. They are very similar, the only difference is that we didn't limit the keysize. Maybe try taking that off (if you can) and also try the -force option, just to make sure you're overwriting any existing certificate request files.
I compared your New-ExchangeCertificate command to the one we used. They are very similar, the only difference is that we didn't limit the keysize. Maybe try taking that off (if you can) and also try the -force option, just to make sure you're overwriting any existing certificate request files.
ASKER
Yes, i understand that we need to send this to Verisign :)
ASKER
duraswitch...thanks for your input...
Isn't the key size related to the encryption stuff...etc.
can you share your command where you have used the option -Force??
Thats will be of great help!
Isn't the key size related to the encryption stuff...etc.
can you share your command where you have used the option -Force??
Thats will be of great help!
you won't see this certificate listed until you run the import-exchangecertificate
yes, key size is related to encryption level which a lot of ca's are now requiring 2048
yes, key size is related to encryption level which a lot of ca's are now requiring 2048
Did you try this yet instead of trying powershell ?
www.u-btech.com/products/certificate-manager-for-exchange-2007.html
www.u-btech.com/products/certificate-manager-for-exchange-2007.html
ASKER
endital ... i agree that this new certificate request should not get listed unless we import it.
However after running this powershell and just for teh sake of checking certs, I am getting the details of the new requested cert...
thats where i am getting concerned and confused at the same time.
We are generating a .req file is that fine or do we need to have a .CSR file?
However after running this powershell and just for teh sake of checking certs, I am getting the details of the new requested cert...
thats where i am getting concerned and confused at the same time.
We are generating a .req file is that fine or do we need to have a .CSR file?
the file name can be anything
exchange won't recognize the certificate until it is imported and there is a private key assoicated with it
exchange won't recognize the certificate until it is imported and there is a private key assoicated with it
ASKER
ok....so I am assuming that the command which we are using will include the Subject alternative names which for some reasons are not getting displayed in the CertificateDomains...
I just wanted to make sure that we are submitting the correct request with full intended information to get us a correct SAN cert.
I just wanted to make sure that we are submitting the correct request with full intended information to get us a correct SAN cert.
ASKER
In addition to that...i am still curious on from where is the exchange pulling in the infomation on the certificate request information ..... like this:
AccessRules : {System.Security.AccessCon
CertificateDomains : {eurmail.domain.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
NotAfter : 08.09.2011 01:42:45
NotBefore : 07.09.2010 19:42:45
PublicKeySize : 1024
RootCAType : Unknown
SerialNumber : 7xxxxx….xxxxxx….3
Services : None
Status : Invalid
Subject : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
Thumbprint : Bxxxx….xxxxx….xxxxx….7
AccessRules : {System.Security.AccessCon
CertificateDomains : {eurmail.domain.com}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
NotAfter : 08.09.2011 01:42:45
NotBefore : 07.09.2010 19:42:45
PublicKeySize : 1024
RootCAType : Unknown
SerialNumber : 7xxxxx….xxxxxx….3
Services : None
Status : Invalid
Subject : CN=eurmail.domain.com, O=XYZ Inc., S=ABC, L=UYT, C=US
Thumbprint : Bxxxx….xxxxx….xxxxx….7
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
so the request file will have my other domain names in it which eventually are not showing in here...
yes, and if you were to have any issues with the certificate the ca gives you time to correct
ASKER
Thanks all...