Solved

creating an exchange 2007 certificate

Posted on 2013-01-08
18
188 Views
Last Modified: 2013-01-08
I am running exchange 2007 with SP2.  My certificate is about to expire and I'm trying to install the new cert, but it's giving me this error message.
The message is attached.  

Then when I try to create a new request, I get another error message, also attached.

Any advise how to get a my new cert installed correctly?

Thanks, Dan
exchangecert.jpg
exchangeNewRequestError.jpg
0
Comment
Question by:afacts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 3
  • 3
  • +1
18 Comments
 

Author Comment

by:afacts
ID: 38756424
I followed this advise:
http://www.cyberstreams.com/posts/2009/december/fix-for-exchange-2007-certificate-error-privatekeymissing

the output of the repair was successful (see attached), but when I go to my website and check the certificate, it's still listing the old one. How do I get it to use the new one?
repairstore.jpg
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 150 total points
ID: 38756433
My guess would be that the period after your Inc. is messing up the request.
0
 

Author Comment

by:afacts
ID: 38756438
do I create a new one without it, or just rekey the current one? Should exchange start using the new cert automatically, or do I need to delete the old one first?
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 
LVL 11

Expert Comment

by:apathy42
ID: 38756440
Two issues.

1) It is -GenerateRequest
2) As xxdcmast indicates, a . in organization is not allowed.
0
 

Author Comment

by:afacts
ID: 38756462
I can't believe I misspelled it.  I corrected the spelling and removed the . as well.
Still the same error.
generateRequestnew.jpg
0
 
LVL 11

Expert Comment

by:apathy42
ID: 38756473
I think you probably need to remove the comma as well (now that I can see it) - the comma delimits the descriptors.
0
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 38756478
After create new certificate remove the old certificate and check in IIS new create bind in website or not??
0
 

Author Comment

by:afacts
ID: 38756481
you're right, that worked.  how do I install it?  Ill use the CSR with godaddy to get a new cert and then I don't remember exactly what I need to do as it's been over 3 years since I last did it.  appreciate the help.
0
 

Author Comment

by:afacts
ID: 38756504
Is this all i have to do:
http://support.godaddy.com/help/article/4877/installing-an-ssl-certificate-in-microsoft-
exchange-server-2007

I followed these instructions last time, but it didn't work,
0
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 38756521
Run the below mention command.

enable-exchangecertificate -thumprint "30c..." -service smtp,iis,pop

You have to only remove quotation marks " "  after services.


Refer below link to create a new certificate and certificate request also.

http://luka.manojlovic.net/2008/01/12/new-certificate-in-exchange-2007-step-by-step/

http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html

http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx
0
 

Author Comment

by:afacts
ID: 38756544
well, I got further, i was able to import the cert, but when i did the enable-exchangecertificate -thumbprint etc..... it just sits there, no error it doesn't do anything, so how do I know what the error is?  I attached the screenshot.
import.jpg
0
 

Author Comment

by:afacts
ID: 38756556
I tried that, I removed the " for the different services, but it still does nothing. I even added the quotes for the thumbprint, but still nothing.  I will look at the articles.
0
 

Author Comment

by:afacts
ID: 38756620
now it doesn't find the certificate.   this is crazy, i don't understand why it's so difficult.
I followed the steps in that article
NOT-FOUND.jpg
0
 
LVL 18

Accepted Solution

by:
Sushil Sonawane earned 200 total points
ID: 38756942
Run below command.

get-exchangecertificate

check the thumbprint available in command output as you mention in screen shot.

If available then run the below command.

enable-exchangecertificate -thumprint "30c..." -service smtp,iis,pop

Let me know is it third party certificate like "go daddy" or self sign certificate.
0
 

Author Comment

by:afacts
ID: 38756946
its a godaddy cert
0
 

Author Comment

by:afacts
ID: 38756962
ok, thanks, so i was able to add the smtp and iis service to the cert, so that worked, thank you, it's the first one that is the newest one

the thumbprint for the newest cert ends in F96.

I've attached a screenshot, so now my question is, how do I make it live, or active?
when i go to my mail.domain.com website, it's still using the old cert expiring in a few days.
How do I get it to load the new cert?
getexchangecert.jpg
0
 
LVL 11

Assisted Solution

by:apathy42
apathy42 earned 150 total points
ID: 38757016
You can use:
Remove-ExchangeCertificate -Thumbprint <Thumbprintinfo>
to get rid of the old one.  

Alternatively, you can use
Enable-ExchangeCertificate -Thumbprint <ThumbprintInfo> -Services None
to disable it without removing.
0
 

Author Closing Comment

by:afacts
ID: 38757041
Thanks everyone for your help.  after enabling the services again, it looks like that did the trick.  I did that before so I don't know why it didn't work before, but oh well, it's working.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question