Importing a Wildcard Cert on Exchange 2010

marrun1972
marrun1972 used Ask the Experts™
on
I have setup an Exchange 2010 server and I have a wildcard cert i would like to import. I have downloaded the cert from our GoDaddy account and I would now like to import.

When I go to import the signed cert it is asking for a PFK file but that is not included from my godaddy download. The cert was originally created from a Linux system and then submitted to godaddy to be signed.

When I have installed certs on a windows system in the past it has been fairly simple but I have always generated the cert from the windows system, which meant was the cert got signed from the provider the request was waiting on the windows server.

How do I import the signed wildcard cert without creating the request on the windows server?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You need the private key from the linux system, the wildcard certificate (which should be in PEM format), the password for the private key, and a copy of OpenSSL (you can download OpenSSL for windows here: http://www.slproweb.com/download/Win32OpenSSL-1_0_0c.exe).

This is the openSSL command you will be using. you will be prompted for the private key password before conversion:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt


Further possible OpenSSL commands:
http://expertsxchange.blogspot.com/2009/06/openssl-commands-to-convert-ssl.html


Britt ThompsonSr. Systems Engineer
Top Expert 2009

Commented:
Why not just generate the certificate in the Exchange Management Shell if you've already purchased the certificate? Why the generation from Linux? Was it cheaper this way or something?

You should be able to export the file you need from openssl on the Linux machine but I'm still not sure if this is going to work.

Author

Commented:
Renazones - The cert was created and signed a while ago for another purpose which was hosted on a linux server. I know want to import that same cert onto a WIndows system without having to buy it again.

Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I will be giving the above instructions a go now and will let you know how I get on...
Britt ThompsonSr. Systems Engineer
Top Expert 2009

Commented:
Godaddy will allow you to rekey the cert as long as the principle name stays the same. So, you can generate your certificate request from your Exchange server and go to the Godaddy control panel and rekey the cert for your purposes with no trouble.

Author

Commented:
OK, so maybe I havent given you all the information. My knowledge about this stuff is nil to zero.

I have:

1 CSR File sent to Godaddy on the original request
2. KEY file private key
3. The Godaddy downloaded signed cert which is a CRT file...

So, I dont have a PEM. Is there a way to do this?

If no, should I create a new wildcard cert on exchange? If I do this will I be able to import into other windows servers easily?
Britt ThompsonSr. Systems Engineer
Top Expert 2009
Commented:
Ok...you should regenerate the CSR for Exchange:

Type in the Exchange Management Shell (replacing the ALL CAPS with your info):

$Data = New-ExchangeCertificate -GenerateRequest -DomainName *.COMPANY.COM -Friendlyname *.COMPANY.COM -PrivateKeyExportable:$true

Open in new window


Type

Set-Content -path "C:\CERTIFICATE_REQUEST.TXT" -Value $Data 

Open in new window


then you'll have a new CSR. Go to GoDaddy and rekey your certificate.

then, import your certificate with this:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\YOURCERTNAME.CER -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate –Services “POP, IMAP, IIS, SMTP” -DoNotRequireSSL

Open in new window




The crt file is the PEM
Change the OpenSSL command to the following:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

Author

Commented:
This worked:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt because it created my pfx which I could then install.

The re-key would have worked but was nervous since the original was still being used on some Linux servers so will distribute the points.

Thank you both for helping me, its greatly appreciated

Author

Commented:
Great, really helped.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial