[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

exporting SSL certificate from Exchange 2007

Posted on 2012-09-13
8
Medium Priority
?
940 Views
Last Modified: 2012-09-22
I need to export an exchange certificate, in order to use it on another machine.  The certificate is from godaddy.  I cannot export the current one because apparently it is not exportable.  So from research, it appears i have to generate a new exchange certificate, correct?

i found this:
http://technet.microsoft.com/en-us/library/bb851505%28EXCHG.80%29.aspx

which said to use the following command:
New-ExchangeCertificate -DomainName popserver.fourthcoffee.com -SubjectName "c=us,o=contoso corp, cn=popserver.fourthcoffee.com" -PrivateKeyExportable:$True -GenerateRequest:$True -Path "C:\CertRequest.req"

my questions are:
1) the domain name is the domain i am secure (external.com), but i am unsure of what to put for "c=" and "cn=" am I putting all of the names of the machines that I am securing?  
2)Does this mean i need to import the new certificate onto all of the machines i use the current certificate ?  

Thank you.
0
Comment
Question by:Winstink
  • 4
  • 3
8 Comments
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 38396221
Use this tool to generate the request:

https://www.digicert.com/easy-csr/exchange2010.htm

Then send the CSR to GoDaddy and get your new cert.  When you get it, complete the request in IIS/Exchange and mark the cert as exportable.  Then, go to MMC, add Certificates, manage that computer and open the Personal cert store.  Export your cert and give it a password.  Import that new cert, as well as the root and intermediate certs from GoDaddy into any other servers you need.
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 38396225
Oh and make sure you put SANs in for things like autodiscover, local server name, and domain name.
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38397274
Are you telling us that you cannot export Exchange certificate OR you are unaware of the process?

Ref: http://www.telnetport25.com/2011/11/tool-for-exporting-exchange-2010-certificates-to-pfx-files/

This should be simple enough to export and import using the same process on new server.

Understand, if you create separate certificates on separate servers using different information, Exchange may not like this. Keep it simple across all servers.

Regards,
Exchange_Geek
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 2

Author Comment

by:Winstink
ID: 38397422
sorry for the confusion.  
I don't need a new cert from Godaddy.  What I need is the cert from Exchange to go on another machine.  GoDaddy says it must be installed on Exchange, then exported from there.  I cannot export it, the key is marked as non-exportable, and while I have a previous export, it was from a year and a half ago and heck if I know what the password is.  I am aware of the process, but it has been awhile, so my questions are:  


1) by generating a new exchange certificate that is exportable does this mean that I must then export this new certificate and import it to every other machine that uses the particular SSL cert?

2) when I do create the new exchange cert, what do I put for for "c=" and "cn=" ?
0
 
LVL 2

Author Comment

by:Winstink
ID: 38397444
I've looked at this article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23530700.html

which leads me to here:

http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx

which says I need to generate a new cert.  Which leads me to my above questions.  thanks.
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 38400456
You will need a new cert from GoDaddy though, as the one you have is not exportable.  You have already paid for it so in essence it's just a reissue and they do them all the time.  You will need the CSR again and send it to them and tell them to reissue the cert for this new CSR (use the tool I linked to above).  Then you can import it into Exchange and export it and then yes you will need to reimport everywhere else it was.
0
 
LVL 2

Accepted Solution

by:
Winstink earned 0 total points
ID: 38405510
I had a copy of the exportable cert, and in a moment of clarify, I remembered the password.  SO I was able to import the original cert.  Thank you though.
0
 
LVL 2

Author Closing Comment

by:Winstink
ID: 38424353
After the weekend, I was able to figure out the password to an export of the key back when I first created it.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question