Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SBS2011 - Exchange 2010 Certificates - Driving me Nuts!!!!

Posted on 2014-01-14
17
Medium Priority
?
3,528 Views
Last Modified: 2014-01-15
Hi All.

We have an on-going issue with Exchange 2010 certificates on one of our clients servers
(We are treading cautiously as SSL on Exchange is new to us)

We have a Godaddy SSL cert that has been working fine and we want to renew it.

We have at this point renewed the SSL at Godaddy with the original CSR and have downloaded it ready to install.

Following these instructions from TechNet:

Use the EMC to renew an Exchange certificate

1. In the console tree, click Server Configuration.  - DONE

2. Select the server that contains the certificate, and then select the certificate you want to renew.  - DONE

3. In the action pane, click Renew Exchange Certificate.  - DONE

4. On the Renew Exchange Certificate page, select the services you want to assign to the renewed certificate. The services that are checked are currently assigned to the certificate.

HERE - when you select Renew Exchange Certificate the wizard opens with:
Specify the name of the request file in the box below..... The name must end with the extension ".req"

and its here this is driving me nuts.

I appreciate I may need to submit a new CSR, but what is this .req and how do I use this in renewing the SSL certificate.

Other instructions I have found state that at this point you should be able to select the new certificate, but I cannot.

If I follow this wizard it creates this .REQ file but if I open it with notepad there is no valid CSR data that I can see - however it does create a temporary certificate in the Exchange Certificates that states - something like (Sorry I have deleted it now) continue process pending request.

Can anyone help at all please.

Thank you
Regards
Andy
0
Comment
Question by:AndyKeen
  • 9
  • 3
  • 2
  • +2
17 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 39779001
If you already have the new certificate from go-daddy simply import it, then assign the services to it, then remove the old certificate
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 39779038
Hi Pete.

Thank you for that.

Due to caution and lack of experience, I am not sure how to import it and from where.

I can see in the EMC there is an 'import exchange certificate'

If I run this wizard it is asking for a file location (Fine) and a password that the certificate does not have.

Or do I import it else where.

Thank you
Andy
0
 
LVL 28

Expert Comment

by:MAS
ID: 39779085
if your file is not listed change the file type to "all" then you can see your cetificate.
Password you can type your admin password.

Please check this
https://www.geocerts.com/install/exchange_2010

if you have any doubt please let us know
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 17

Assisted Solution

by:Lior Karasenti
Lior Karasenti earned 450 total points
ID: 39779163
1. You need to open the IIS Manager (Start -> Run -> inetmgr.exe)

2. Click on your server, go to "Server Certificates" under "IIS", then right click and choose "Complete Certificate Request"

3. Select your .CRT file that you got from GoDaddy, give it a name and the certificate will be added to the list.

4. Open EMC, click on "Server Configuration", right click your certificate and click "Assign Services to Certificate".

That should do.
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 39779166
HI Mas.

Thank you for your help.

Specifying the Admin password did the trick - however following the wizard which completed successfully - I CANNOT see the new certificate listed in exchange - only the original certificates are visible.

I have quick exchange and re-opened it and also refreshed the screen - still no Joy.

Any ideas please
Thank you
Andy
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 39779195
Hi Lior.

Thank you for your help.

Really confused now - I thought this was all done through EMC.

Anyhow - Do I click the EXISTING GoDaddy certificate in that location and complete the 'Complete certificate request' and navigate to the certificate I have already renewed from GoDaddy or.. something else...

Thank you
0
 
LVL 17

Expert Comment

by:Lior Karasenti
ID: 39779201
No, right click an empty space.
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 39779214
Thanks Lior.

OK done that and its shown up in Exchange.

I am in the process of assigning services to the certificate and it has come up with the following warning:

Do you want to enforce SSL Communication on the root web site? if not, rerun the cmdlet with the -DoNotRequireSSL parameter.

What do I do here please.

Thank you
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 1050 total points
ID: 39779249
As this is SBS 2011 you shouldn't be doing anything with certificates in Exchange.
The posters above are treating the SBS implementation as full product, which is wrong.

Use the wizard in SBS management console. In there is an SSL wizard, run that, selecting the option to use an existing certificate. The wizard will do everything for you.

Back to the top of the question - the initial error was using an existing CSR - you cannot do that with IIS. You should have created a new CSR.

Simon.
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 39779250
Thanks Lior.

OK done that and its shown up in Exchange.

I am in the process of assigning services to the certificate and it has come up with the following warning:

Do you want to enforce SSL Communication on the root web site? if not, rerun the cmdlet with the -DoNotRequireSSL parameter.

What do I do here please.

Thank you
0
 
LVL 17

Expert Comment

by:Lior Karasenti
ID: 39779271
Click No, and run the command that appears under "Exchange Management Shell command completed" with "-DoNotRequireSSL" at the end from EMS.
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 39779381
Hi Simon - Thanks for that - I have run the wizard on SBS console and installed the SSL Cert. This is however for Exchange and the new certificate does not appear even though I have run the wizard.


HI LIOR   . Thanks for the help - I now have two certificates in exchange - the original GoDaddy that expires in 10 days time and the new one (Both with the same Assigned Services)

What do I do with the one that is about to expire - do you overlap etc seamlessly or do I need to delete one?

Thank you Both.
Andfy
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 39779450
Hi Simon - Didn't realise you were Sembee.

I have run the SBS wizard and installed the certificate.

(Side issue..) When I remote connect the certificate still show the old one about to expire - do you know why that is please?

Also - Does the certificate need installing / importing into Exchange 2010 - there is an existing GoDaddy one there.

Thanks Simon
0
 
LVL 28

Expert Comment

by:MAS
ID: 39781351
Please run this command iisreset/noforce and try

If you can see the new certificate listed in EMC you can delete the old one
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39781537
The SBS console should have imported the certificate in to Exchange 2010 as well. If you look in EMC, are the services listed next to the new certificate correctly?

Simon.
0
 
LVL 1

Author Comment

by:AndyKeen
ID: 39781671
Thank you Simon, spot on with the advice.

Thank you all for your help and patience.
0
 
LVL 1

Author Closing Comment

by:AndyKeen
ID: 39781683
There were many people who helped me with this and it was difficult to know how to give out the points because there is more than one way to do it - however Simon picked-up that this was SBS2011 and because of that the answer was quite simple.
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
In this post, I will showcase the steps for how to create groups in Office 365. Office 365 groups allow for ease of flexibility and collaboration between staff members.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question