exporting SSL certificate from Exchange 2007

I need to export an exchange certificate, in order to use it on another machine.  The certificate is from godaddy.  I cannot export the current one because apparently it is not exportable.  So from research, it appears i have to generate a new exchange certificate, correct?

i found this:
http://technet.microsoft.com/en-us/library/bb851505%28EXCHG.80%29.aspx

which said to use the following command:
New-ExchangeCertificate -DomainName popserver.fourthcoffee.com -SubjectName "c=us,o=contoso corp, cn=popserver.fourthcoffee.com" -PrivateKeyExportable:$True -GenerateRequest:$True -Path "C:\CertRequest.req"

my questions are:
1) the domain name is the domain i am secure (external.com), but i am unsure of what to put for "c=" and "cn=" am I putting all of the names of the machines that I am securing?  
2)Does this mean i need to import the new certificate onto all of the machines i use the current certificate ?  

Thank you.
LVL 2
WinstinkAsked:
Who is Participating?
 
WinstinkAuthor Commented:
I had a copy of the exportable cert, and in a moment of clarify, I remembered the password.  SO I was able to import the original cert.  Thank you though.
0
 
Brad BouchardInformation Systems Security OfficerCommented:
Use this tool to generate the request:

https://www.digicert.com/easy-csr/exchange2010.htm

Then send the CSR to GoDaddy and get your new cert.  When you get it, complete the request in IIS/Exchange and mark the cert as exportable.  Then, go to MMC, add Certificates, manage that computer and open the Personal cert store.  Export your cert and give it a password.  Import that new cert, as well as the root and intermediate certs from GoDaddy into any other servers you need.
0
 
Brad BouchardInformation Systems Security OfficerCommented:
Oh and make sure you put SANs in for things like autodiscover, local server name, and domain name.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Exchange_GeekCommented:
Are you telling us that you cannot export Exchange certificate OR you are unaware of the process?

Ref: http://www.telnetport25.com/2011/11/tool-for-exporting-exchange-2010-certificates-to-pfx-files/

This should be simple enough to export and import using the same process on new server.

Understand, if you create separate certificates on separate servers using different information, Exchange may not like this. Keep it simple across all servers.

Regards,
Exchange_Geek
0
 
WinstinkAuthor Commented:
sorry for the confusion.  
I don't need a new cert from Godaddy.  What I need is the cert from Exchange to go on another machine.  GoDaddy says it must be installed on Exchange, then exported from there.  I cannot export it, the key is marked as non-exportable, and while I have a previous export, it was from a year and a half ago and heck if I know what the password is.  I am aware of the process, but it has been awhile, so my questions are:  


1) by generating a new exchange certificate that is exportable does this mean that I must then export this new certificate and import it to every other machine that uses the particular SSL cert?

2) when I do create the new exchange cert, what do I put for for "c=" and "cn=" ?
0
 
WinstinkAuthor Commented:
I've looked at this article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23530700.html

which leads me to here:

http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx

which says I need to generate a new cert.  Which leads me to my above questions.  thanks.
0
 
Brad BouchardInformation Systems Security OfficerCommented:
You will need a new cert from GoDaddy though, as the one you have is not exportable.  You have already paid for it so in essence it's just a reissue and they do them all the time.  You will need the CSR again and send it to them and tell them to reissue the cert for this new CSR (use the tool I linked to above).  Then you can import it into Exchange and export it and then yes you will need to reimport everywhere else it was.
0
 
WinstinkAuthor Commented:
After the weekend, I was able to figure out the password to an export of the key back when I first created it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.