• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3755
  • Last Modified:

SBS2011 - Exchange 2010 Certificates - Driving me Nuts!!!!

Hi All.

We have an on-going issue with Exchange 2010 certificates on one of our clients servers
(We are treading cautiously as SSL on Exchange is new to us)

We have a Godaddy SSL cert that has been working fine and we want to renew it.

We have at this point renewed the SSL at Godaddy with the original CSR and have downloaded it ready to install.

Following these instructions from TechNet:

Use the EMC to renew an Exchange certificate

1. In the console tree, click Server Configuration.  - DONE

2. Select the server that contains the certificate, and then select the certificate you want to renew.  - DONE

3. In the action pane, click Renew Exchange Certificate.  - DONE

4. On the Renew Exchange Certificate page, select the services you want to assign to the renewed certificate. The services that are checked are currently assigned to the certificate.

HERE - when you select Renew Exchange Certificate the wizard opens with:
Specify the name of the request file in the box below..... The name must end with the extension ".req"

and its here this is driving me nuts.

I appreciate I may need to submit a new CSR, but what is this .req and how do I use this in renewing the SSL certificate.

Other instructions I have found state that at this point you should be able to select the new certificate, but I cannot.

If I follow this wizard it creates this .REQ file but if I open it with notepad there is no valid CSR data that I can see - however it does create a temporary certificate in the Exchange Certificates that states - something like (Sorry I have deleted it now) continue process pending request.

Can anyone help at all please.

Thank you
Regards
Andy
0
AndyKeen
Asked:
AndyKeen
  • 9
  • 3
  • 2
  • +2
2 Solutions
 
Pete LongTechnical ConsultantCommented:
If you already have the new certificate from go-daddy simply import it, then assign the services to it, then remove the old certificate
0
 
AndyKeenAuthor Commented:
Hi Pete.

Thank you for that.

Due to caution and lack of experience, I am not sure how to import it and from where.

I can see in the EMC there is an 'import exchange certificate'

If I run this wizard it is asking for a file location (Fine) and a password that the certificate does not have.

Or do I import it else where.

Thank you
Andy
0
 
MAS (MVE)Technical Department HeadCommented:
if your file is not listed change the file type to "all" then you can see your cetificate.
Password you can type your admin password.

Please check this
https://www.geocerts.com/install/exchange_2010

if you have any doubt please let us know
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Lior KarasentiCommented:
1. You need to open the IIS Manager (Start -> Run -> inetmgr.exe)

2. Click on your server, go to "Server Certificates" under "IIS", then right click and choose "Complete Certificate Request"

3. Select your .CRT file that you got from GoDaddy, give it a name and the certificate will be added to the list.

4. Open EMC, click on "Server Configuration", right click your certificate and click "Assign Services to Certificate".

That should do.
0
 
AndyKeenAuthor Commented:
HI Mas.

Thank you for your help.

Specifying the Admin password did the trick - however following the wizard which completed successfully - I CANNOT see the new certificate listed in exchange - only the original certificates are visible.

I have quick exchange and re-opened it and also refreshed the screen - still no Joy.

Any ideas please
Thank you
Andy
0
 
AndyKeenAuthor Commented:
Hi Lior.

Thank you for your help.

Really confused now - I thought this was all done through EMC.

Anyhow - Do I click the EXISTING GoDaddy certificate in that location and complete the 'Complete certificate request' and navigate to the certificate I have already renewed from GoDaddy or.. something else...

Thank you
0
 
Lior KarasentiCommented:
No, right click an empty space.
0
 
AndyKeenAuthor Commented:
Thanks Lior.

OK done that and its shown up in Exchange.

I am in the process of assigning services to the certificate and it has come up with the following warning:

Do you want to enforce SSL Communication on the root web site? if not, rerun the cmdlet with the -DoNotRequireSSL parameter.

What do I do here please.

Thank you
0
 
Simon Butler (Sembee)ConsultantCommented:
As this is SBS 2011 you shouldn't be doing anything with certificates in Exchange.
The posters above are treating the SBS implementation as full product, which is wrong.

Use the wizard in SBS management console. In there is an SSL wizard, run that, selecting the option to use an existing certificate. The wizard will do everything for you.

Back to the top of the question - the initial error was using an existing CSR - you cannot do that with IIS. You should have created a new CSR.

Simon.
0
 
AndyKeenAuthor Commented:
Thanks Lior.

OK done that and its shown up in Exchange.

I am in the process of assigning services to the certificate and it has come up with the following warning:

Do you want to enforce SSL Communication on the root web site? if not, rerun the cmdlet with the -DoNotRequireSSL parameter.

What do I do here please.

Thank you
0
 
Lior KarasentiCommented:
Click No, and run the command that appears under "Exchange Management Shell command completed" with "-DoNotRequireSSL" at the end from EMS.
0
 
AndyKeenAuthor Commented:
Hi Simon - Thanks for that - I have run the wizard on SBS console and installed the SSL Cert. This is however for Exchange and the new certificate does not appear even though I have run the wizard.


HI LIOR   . Thanks for the help - I now have two certificates in exchange - the original GoDaddy that expires in 10 days time and the new one (Both with the same Assigned Services)

What do I do with the one that is about to expire - do you overlap etc seamlessly or do I need to delete one?

Thank you Both.
Andfy
0
 
AndyKeenAuthor Commented:
Hi Simon - Didn't realise you were Sembee.

I have run the SBS wizard and installed the certificate.

(Side issue..) When I remote connect the certificate still show the old one about to expire - do you know why that is please?

Also - Does the certificate need installing / importing into Exchange 2010 - there is an existing GoDaddy one there.

Thanks Simon
0
 
MAS (MVE)Technical Department HeadCommented:
Please run this command iisreset/noforce and try

If you can see the new certificate listed in EMC you can delete the old one
0
 
Simon Butler (Sembee)ConsultantCommented:
The SBS console should have imported the certificate in to Exchange 2010 as well. If you look in EMC, are the services listed next to the new certificate correctly?

Simon.
0
 
AndyKeenAuthor Commented:
Thank you Simon, spot on with the advice.

Thank you all for your help and patience.
0
 
AndyKeenAuthor Commented:
There were many people who helped me with this and it was difficult to know how to give out the points because there is more than one way to do it - however Simon picked-up that this was SBS2011 and because of that the answer was quite simple.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now