Importing a Wildcard Cert on Exchange 2010

I have setup an Exchange 2010 server and I have a wildcard cert i would like to import. I have downloaded the cert from our GoDaddy account and I would now like to import.

When I go to import the signed cert it is asking for a PFK file but that is not included from my godaddy download. The cert was originally created from a Linux system and then submitted to godaddy to be signed.

When I have installed certs on a windows system in the past it has been fairly simple but I have always generated the cert from the windows system, which meant was the cert got signed from the provider the request was waiting on the windows server.

How do I import the signed wildcard cert without creating the request on the windows server?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Erik PittiCommented:
You need the private key from the linux system, the wildcard certificate (which should be in PEM format), the password for the private key, and a copy of OpenSSL (you can download OpenSSL for windows here:

This is the openSSL command you will be using. you will be prompted for the private key password before conversion:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Further possible OpenSSL commands:

Britt ThompsonSr. Systems EngineerCommented:
Why not just generate the certificate in the Exchange Management Shell if you've already purchased the certificate? Why the generation from Linux? Was it cheaper this way or something?

You should be able to export the file you need from openssl on the Linux machine but I'm still not sure if this is going to work.
marrun1972Author Commented:
Renazones - The cert was created and signed a while ago for another purpose which was hosted on a linux server. I know want to import that same cert onto a WIndows system without having to buy it again.

Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

marrun1972Author Commented:
I will be giving the above instructions a go now and will let you know how I get on...
Britt ThompsonSr. Systems EngineerCommented:
Godaddy will allow you to rekey the cert as long as the principle name stays the same. So, you can generate your certificate request from your Exchange server and go to the Godaddy control panel and rekey the cert for your purposes with no trouble.
marrun1972Author Commented:
OK, so maybe I havent given you all the information. My knowledge about this stuff is nil to zero.

I have:

1 CSR File sent to Godaddy on the original request
2. KEY file private key
3. The Godaddy downloaded signed cert which is a CRT file...

So, I dont have a PEM. Is there a way to do this?

If no, should I create a new wildcard cert on exchange? If I do this will I be able to import into other windows servers easily?
Britt ThompsonSr. Systems EngineerCommented: should regenerate the CSR for Exchange:

Type in the Exchange Management Shell (replacing the ALL CAPS with your info):

$Data = New-ExchangeCertificate -GenerateRequest -DomainName *.COMPANY.COM -Friendlyname *.COMPANY.COM -PrivateKeyExportable:$true

Open in new window


Set-Content -path "C:\CERTIFICATE_REQUEST.TXT" -Value $Data 

Open in new window

then you'll have a new CSR. Go to GoDaddy and rekey your certificate.

then, import your certificate with this:

Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path c:\YOURCERTNAME.CER -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate –Services “POP, IMAP, IIS, SMTP” -DoNotRequireSSL

Open in new window

Erik PittiCommented:
The crt file is the PEM
Erik PittiCommented:
Change the OpenSSL command to the following:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marrun1972Author Commented:
This worked:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt because it created my pfx which I could then install.

The re-key would have worked but was nervous since the original was still being used on some Linux servers so will distribute the points.

Thank you both for helping me, its greatly appreciated
marrun1972Author Commented:
Great, really helped.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.