Winstink
asked on
exporting SSL certificate from Exchange 2007
I need to export an exchange certificate, in order to use it on another machine. The certificate is from godaddy. I cannot export the current one because apparently it is not exportable. So from research, it appears i have to generate a new exchange certificate, correct?
i found this:
http://technet.microsoft.com/en-us/library/bb851505%28EXCHG.80%29.aspx
which said to use the following command:
New-ExchangeCertificate -DomainName popserver.fourthcoffee.com -SubjectName "c=us,o=contoso corp, cn=popserver.fourthcoffee. com" -PrivateKeyExportable:$Tru e -GenerateRequest:$True -Path "C:\CertRequest.req"
my questions are:
1) the domain name is the domain i am secure (external.com), but i am unsure of what to put for "c=" and "cn=" am I putting all of the names of the machines that I am securing?
2)Does this mean i need to import the new certificate onto all of the machines i use the current certificate ?
Thank you.
i found this:
http://technet.microsoft.com/en-us/library/bb851505%28EXCHG.80%29.aspx
which said to use the following command:
New-ExchangeCertificate -DomainName popserver.fourthcoffee.com
my questions are:
1) the domain name is the domain i am secure (external.com), but i am unsure of what to put for "c=" and "cn=" am I putting all of the names of the machines that I am securing?
2)Does this mean i need to import the new certificate onto all of the machines i use the current certificate ?
Thank you.
Oh and make sure you put SANs in for things like autodiscover, local server name, and domain name.
Are you telling us that you cannot export Exchange certificate OR you are unaware of the process?
Ref: http://www.telnetport25.com/2011/11/tool-for-exporting-exchange-2010-certificates-to-pfx-files/
This should be simple enough to export and import using the same process on new server.
Understand, if you create separate certificates on separate servers using different information, Exchange may not like this. Keep it simple across all servers.
Regards,
Exchange_Geek
Ref: http://www.telnetport25.com/2011/11/tool-for-exporting-exchange-2010-certificates-to-pfx-files/
This should be simple enough to export and import using the same process on new server.
Understand, if you create separate certificates on separate servers using different information, Exchange may not like this. Keep it simple across all servers.
Regards,
Exchange_Geek
ASKER
sorry for the confusion.
I don't need a new cert from Godaddy. What I need is the cert from Exchange to go on another machine. GoDaddy says it must be installed on Exchange, then exported from there. I cannot export it, the key is marked as non-exportable, and while I have a previous export, it was from a year and a half ago and heck if I know what the password is. I am aware of the process, but it has been awhile, so my questions are:
1) by generating a new exchange certificate that is exportable does this mean that I must then export this new certificate and import it to every other machine that uses the particular SSL cert?
2) when I do create the new exchange cert, what do I put for for "c=" and "cn=" ?
I don't need a new cert from Godaddy. What I need is the cert from Exchange to go on another machine. GoDaddy says it must be installed on Exchange, then exported from there. I cannot export it, the key is marked as non-exportable, and while I have a previous export, it was from a year and a half ago and heck if I know what the password is. I am aware of the process, but it has been awhile, so my questions are:
1) by generating a new exchange certificate that is exportable does this mean that I must then export this new certificate and import it to every other machine that uses the particular SSL cert?
2) when I do create the new exchange cert, what do I put for for "c=" and "cn=" ?
ASKER
I've looked at this article:
https://www.experts-exchange.com/questions/23530700/Exporting-an-Exchange-2007-SSL-Certificate-Error.html
which leads me to here:
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
which says I need to generate a new cert. Which leads me to my above questions. thanks.
https://www.experts-exchange.com/questions/23530700/Exporting-an-Exchange-2007-SSL-Certificate-Error.html
which leads me to here:
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
which says I need to generate a new cert. Which leads me to my above questions. thanks.
You will need a new cert from GoDaddy though, as the one you have is not exportable. You have already paid for it so in essence it's just a reissue and they do them all the time. You will need the CSR again and send it to them and tell them to reissue the cert for this new CSR (use the tool I linked to above). Then you can import it into Exchange and export it and then yes you will need to reimport everywhere else it was.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After the weekend, I was able to figure out the password to an export of the key back when I first created it.
https://www.digicert.com/easy-csr/exchange2010.htm
Then send the CSR to GoDaddy and get your new cert. When you get it, complete the request in IIS/Exchange and mark the cert as exportable. Then, go to MMC, add Certificates, manage that computer and open the Personal cert store. Export your cert and give it a password. Import that new cert, as well as the root and intermediate certs from GoDaddy into any other servers you need.