• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2843
  • Last Modified:

Exchange 2010 Cert Renewal problems

We have a standalone Exchange 2010 that will have it's cert expire next month.  Our problem is that doing the "Renew Exchange Certificate" from EMC generates a .req file that contains gibberish and is not in the acceptable format.  If we do renew certificate via IIS7, we get an acceptable format but then pasting it onto GeoTrust's site for renewal generates an error stating that it's too long.  So far I only seen one forum with reference to this issue but there was still no solution there (http://social.technet.microsoft.com/Forums/en-NZ/exchange2010/thread/32deccf8-17b6-444c-b523-663fd1276cd7).  

Sample of gibberish .req file out of EMC:
0‚?¯0‚?—?? 0ý1)0'??U??? BonKThT2fPRC8tM2Phn/eZ02yT-9XqT81 0 ??U????SG1 0???U?
??webmail.comcraft.com.sg1?0???U???
GT60867062110/??U???(See www.geotrust.com/resources/cps (c)101705??U???.Domain Control Validated - QuickSSL(R) Premium1 0???U????webmail.comcraft.com.sg0‚?"0
? *†H†÷
???? ?‚?? 0‚?
?‚?? ÓEñ~sä?:ª0- ª5CyÅ?Zl€ñÛd²×ù?Ú š¢¢ËU?.{q!è¨?ž$¡»±JC„ñ¡úµÜ{'±?Ý?¬€7Cj‚^ê ?£“C˵ç÷»ô¬mBd(/”?¬-j:ù'^?L?Õ—b0F®šâ.Ð?´gß‘Á$ ÑW-C*Û¹ó‚ø¬d?,㿪©òÀë
ãO?
N„??³Ú?¤?Ñ?ÍTK¶ûzðOIJÒ?5f{Œ1˜ï6}?cÈPÄ’¸Èd»ÆyI?Dc.%–˜ 1i-®4î\Ê?ÿäIcSÃ?Õ?Š!?÷P?EíB
Ì:åý`òk^/°?äs"´2²?°½%T'??? ? ‚?j0??
+????‚7
??1??
6.1.7600.20f? +????‚7??1Y0W?????CMCFTEXCH.comcraft.com.sg??COMCRAFT\CMCFTEXCH$?"Microsoft.Exchange.ServiceHost.exe0p? *†H†÷
? ?1c0a0???U????ÿ????? 0"??U????0?‚?webmail.comcraft.com.sg0???U????ÿ??0 0???U??????]¯
?ŸÎ‰Afé?ò?dëê"ÇÃe0r?
+????‚7
??1d0b????Z M i c r o s o f t   R S A   S C h a n n e l   C r y p t o g r a p h i c   P r o v i d e r?? 0
? *†H†÷
???? ?‚?? 9
ç×Ö‹úÍÒrŒ?VÃ?ç?l…‚càHúb?ÌÔ38æ%Ÿ³^›Y»+z?BÌt7²ù?-GDêÐ<?‡(?ý`6ïm/`Þ?kÁ‡?G؁¼á?a????I&ˉUð1ëDÎ{•|
?'¿†-1íÅ}¡º2<]„™¢jl@µ0‡?*§?5ÚŠm‘=?‘†¿ïÙ/4³?{Á‡ð]®¨%5’˃QêEG?‰1Ö@ò=f>»Õ™Á?~£e2~tßvv§?xVÀ¬R¯¼’?µ™`?Ü ÎHi«šEx´8Ü:â9¡Ê?|ÓuP"Ø\‡Ë8•3²³Ø>¶k µN¥?9rÕß*³3”óFý¨?ÄQoW?n




Sample of a very long cert generated via IIS7:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIINrwYJKoZIhvcNAQcCoIINoDCCDZwCAQExCzAJBgUrDgMCGgUAMIIH5QYJKoZI
hvcNAQcBoIIH1gSCB9IwggfOMIIHNwIBADCB/TEpMCcGA1UEBRMgQm9uS1RoVDJm
UFJDOHRNMlBobi9lWjAyeVQtOVhxVDgxCzAJBgNVBAYTAlNHMSAwHgYDVQQKDBd3
ZWJtYWlsLmNvbWNyYWZ0LmNvbS5zZzETMBEGA1UECwwKR1Q2MDg2NzA2MjExMC8G
A1UECwwoU2VlIHd3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwcyAoYykxMDE3
MDUGA1UECwwuRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkIC0gUXVpY2tTU0woUikg
UHJlbWl1bTEgMB4GA1UEAwwXd2VibWFpbC5jb21jcmFmdC5jb20uc2cwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAKcHGEpcwwklN8WBft1Ih6f3z/T+X6x9bwhc
XOEI7yf0GebQ1GRrhFiXCVD1G9H7+3LLRPJ4BV7fzZJ2QmOC529kGqlRwzCpIM6Y
d4kucN1Vi8bLdhbtZVXIAgLKusge6nnu7onYN85Lddi2KUPkBT4EC6BIk20AFg+7
arZhnFkLAgMBAAGgggWOMBoGCisGAQQBgjcNAgMxDBYKNi4xLjc2MDAuMjBSBgkr
BgEEAYI3FRQxRTBDAgEFDBlDTUNGVEVYQ0guY29tY3JhZnQuY29tLnNnDBZDT01D
UkFGVFxhZG1pbmlzdHJhdG9yDAtJbmV0TWdyLmV4ZTBmBgorBgEEAYI3DQICMVgw
VgIBAh5OAE0AaQBjAHIAbwBzAG8AZgB0ACAAUwB0AHIAbwBuAGcAIABDAHIAeQBw
AHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByAwEAMIGBBgkqhkiG
9w0BCQ4xdDByMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwIgYDVR0RBBswGYIXd2VibWFpbC5jb21jcmFmdC5jb20uc2cwHQYD
VR0OBBYEFLpIx0PVEtMN4zVvSMowBx7gKgRAMIIELgYJKwYBBAGCNw0BMYIEHzCC
BBswggOEoAMCAQICAxMDkTANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEQ
MA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlm
aWNhdGUgQXV0aG9yaXR5MB4XDTEwMDUyNDAyNTMxOVoXDTExMDUyNjIwNDkwNFow
gf0xKTAnBgNVBAUTIEJvbktUaFQyZlBSQzh0TTJQaG4vZVowMnlULTlYcVQ4MQsw
CQYDVQQGEwJTRzEgMB4GA1UEChMXd2VibWFpbC5jb21jcmFmdC5jb20uc2cxEzAR
BgNVBAsTCkdUNjA4NjcwNjIxMTAvBgNVBAsTKFNlZSB3d3cuZ2VvdHJ1c3QuY29t
L3Jlc291cmNlcy9jcHMgKGMpMTAxNzA1BgNVBAsTLkRvbWFpbiBDb250cm9sIFZh
bGlkYXRlZCAtIFF1aWNrU1NMKFIpIFByZW1pdW0xIDAeBgNVBAMTF3dlYm1haWwu
Y29tY3JhZnQuY29tLnNnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
554IPq3oGKaAG5V941bv04Nc8SwrQMB/oMiYsRp/8T8SJoERpKc+T5hSRIPYhKXW
iGeP8drHzODaWwlDgib76xF61gFSPEloRmKRE4JTG1ug25zZkux/Fo2fGI8eJFCO
uGRPq8xpFQklB9D8PxJN8FuVi4vQc9WqB6okaABO/7eZwmE30KtxtVvUYYl+SWjy
OHejhb8EbgqANCAE/uT92BQurqB9CxEuEXPZv8CwvNOomSM1nFM5FukK02Vz/QIc
ahxJKkNbkok+skzMlqtOoSi9HIeInLHBoZd/ZxfUb9aO+eJXnTmZJbL/yTDx7dzM
wnFx5G4YCkqlSpgYAYMw5wIDAQABo4HSMIHPMB8GA1UdIwQYMBaAFEjmaPkr0rKV
10fYIyAQTzOYkJ/UMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwIgYDVR0RBBswGYIXd2VibWFpbC5jb21jcmFmdC5jb20uc2cw
OgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9z
ZWN1cmVjYS5jcmwwHQYDVR0OBBYEFJgZh8ZM7UVlaIHY6q1ZKMV8vo00MA0GCSqG
SIb3DQEBBQUAA4GBACOuh3WUaWj5ypeC9NVuSeZhMRrfUL88FQz+WRTKL0aAcd0q
lmzgSjQWTQqFyPbD7wupL5RecLjXutD2Tegrn8SP9L4LkDvfJWVFUFvtxN+aVBXc
YWFezOknRbNy1C5YXdxKtVx4vy4abWVprJqh/e8jm/auzmnfyqqvBttnr2APMA0G
CSqGSIb3DQEBBQUAA4GBAIQaHIwn4RCfixjMjfVQ5YNuWFLOjZ7oT+MpG3BkJjnQ
IsYJcCuW0koviOo0BCfpSkNtUVkOxzPkT8MOBbe/jhX644QVhOdE039tplKGcjO4
K6tdkiyprFLjEkwUBmEO+I+T4NfiOQC8O6yH7FSgv5O1eSIN8n3V6ZfQRjX5F5Rr
oIIEHzCCBBswggOEoAMCAQICAxMDkTANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQG
EwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMDUyNDAyNTMxOVoXDTExMDUyNjIw
NDkwNFowgf0xKTAnBgNVBAUTIEJvbktUaFQyZlBSQzh0TTJQaG4vZVowMnlULTlY
cVQ4MQswCQYDVQQGEwJTRzEgMB4GA1UEChMXd2VibWFpbC5jb21jcmFmdC5jb20u
c2cxEzARBgNVBAsTCkdUNjA4NjcwNjIxMTAvBgNVBAsTKFNlZSB3d3cuZ2VvdHJ1
c3QuY29tL3Jlc291cmNlcy9jcHMgKGMpMTAxNzA1BgNVBAsTLkRvbWFpbiBDb250
cm9sIFZhbGlkYXRlZCAtIFF1aWNrU1NMKFIpIFByZW1pdW0xIDAeBgNVBAMTF3dl
Ym1haWwuY29tY3JhZnQuY29tLnNnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA554IPq3oGKaAG5V941bv04Nc8SwrQMB/oMiYsRp/8T8SJoERpKc+T5hS
RIPYhKXWiGeP8drHzODaWwlDgib76xF61gFSPEloRmKRE4JTG1ug25zZkux/Fo2f
GI8eJFCOuGRPq8xpFQklB9D8PxJN8FuVi4vQc9WqB6okaABO/7eZwmE30KtxtVvU
YYl+SWjyOHejhb8EbgqANCAE/uT92BQurqB9CxEuEXPZv8CwvNOomSM1nFM5FukK
02Vz/QIcahxJKkNbkok+skzMlqtOoSi9HIeInLHBoZd/ZxfUb9aO+eJXnTmZJbL/
yTDx7dzMwnFx5G4YCkqlSpgYAYMw5wIDAQABo4HSMIHPMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwIgYDVR0RBBswGYIXd2VibWFpbC5jb21jcmFmdC5j
b20uc2cwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20v
Y3Jscy9zZWN1cmVjYS5jcmwwHQYDVR0OBBYEFJgZh8ZM7UVlaIHY6q1ZKMV8vo00
MA0GCSqGSIb3DQEBBQUAA4GBACOuh3WUaWj5ypeC9NVuSeZhMRrfUL88FQz+WRTK
L0aAcd0qlmzgSjQWTQqFyPbD7wupL5RecLjXutD2Tegrn8SP9L4LkDvfJWVFUFvt
xN+aVBXcYWFezOknRbNy1C5YXdxKtVx4vy4abWVprJqh/e8jm/auzmnfyqqvBttn
r2APMYIBfDCCAXgCAQEwVTBOMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXF1aWZh
eDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
AgMTA5EwCQYFKw4DAhoFADANBgkqhkiG9w0BAQEFAASCAQBG2aH2WGvknyLYfZOS
JDuIAD7Vt2KlIUDSBzAtMkQ9D9a0pe05imq7/lmzV7v9b0nbYOgThXyEB7zy8EYk
gtcPuoGnPM1swLSFHqAgF4om5w+s5kzWOYwDHvokDqyUexDCNkts1B/bEH3iOvWP
oS4qZcvudlfDbfavVc3Pwy51Tv0gsK/T6UO4lEFC2azQz2kgwBFR0gvSDLgy8S6n
GLbCiRpbr0J5pLuqKWkhbXDHqyUh6C8C5UYeit606V4d6bviy5nNAdCDhLh3/kZJ
1K3l3ANUQE+NrZDFn3sWy2RYBZhWuD1UYSG5nDrue5RvleR93q3wjUyE94wl4yRH
QGQz
-----END NEW CERTIFICATE REQUEST-----


Your expert help is much needed as we've got only month prior to expiry.  Fire Away!

0
AntonVQ
Asked:
AntonVQ
3 Solutions
 
Suliman Abu KharroubIT Consultant Commented:
Please use EMC to renew the certificate not iis.

from server configurations tab.
0
 
Mkris9Commented:
or you can use EMS

$Data = New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=UK, l=YourLocalityOrCity, s=YourStateOrProvince, o=YourCompanyInc, cn=YourFirstDomain.com" -DomainName YourSecondDomain.com, YourThirdDomain.com -PrivateKeyExportable:$true

Set-Content -path "C:\your_CSR_name.csr" -Value $Data
 
0
 
AntonVQAuthor Commented:
@Sulimanw & Mkris9 - tried those routes, still gibberish.


0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
Mkris9Commented:
in taht case, I suppose you have tried this as well ? http://technet.microsoft.com/en-us/library/ee332322.aspx 
0
 
AntonVQAuthor Commented:
hi Mkris9 - yes sir. no go
0
 
adj1984Commented:
Has anyone discovered what to do about this? I'm having the exact same problem.
0
 
AntonVQAuthor Commented:
Ok, can I award myself the points? hahaha

@adj1984 - here's the modified ems command that worked for me:

New-ExchangeCertificate -Server 'SERVERNAME' -GenerateRequest -FriendlyName 'domain.com' -SubjectName 'CN=domain.com, OU=Domain Control Validated - QuickSSL(R) Premium, OU=See www.geotrust.com/resources/cps (c)10, OU=GT60867062, O=domain.com, C=SG, SERIALNUMBER=BonKThT2fPRC8tM2Phn/eZ02yT-9XqT8' -DomainName 'domain.com' -PrivateKeyExportable $true | Out-File c:\cert.txt

I got the command from emc (you know when you try to Renew Cert), edited it so that -Binary is taken out of the script..  hopefully it works for you.
0
 
AntonVQAuthor Commented:
my solution worked.
0
 
AndyARACommented:
Just as an update, if you do use the emc to generate your renewal you can convert the encoded file using the command prompt.
certutil -encode requestfilename.req targetfilename.csr
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now