Mark
asked on
Trouble installing SSL cert in Exchange 2007
I've just downloaded a security certificate from GoDaddy. I successfully imported the intermediate certificate, then ran the Import-ExchangeCertificate
[PS] C:\Windows\system32>Enable-ExchangeCertificate -Thumbprint 71E5569BD8DCECD1
8C352A7515CC077BE6F6001C -Services "SMTP, IMAP, IIS"
Enable-ExchangeCertificate : The certificate with thumbprint 71E5569BD8DCECD18C
352A7515CC077BE6F6001C was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint 71E5569BD8DCECD18C352A7515CC077B
E6F6001C -Services "SMTP, IMAP, IIS"
+ CategoryInfo : NotSpecified: (:) [Enable-ExchangeCertificate],
CertificateNotValidForExchangeException
+ FullyQualifiedErrorId : 677EE568,Microsoft.Exchange.Management.SystemCon
figurationTasks.EnableExchangeCertificateASKER
becraig: > How did you create the request ?
I created it at goDaddy. When I requested the cert, it asked if I wanted to use a new CSR or the one for the existing certificate. I chose to use the one for the existing certificate. Note that I was not the one to create the original certificate 5 years ago, so I do not know how the then-administrator create the CSR.
> You can simply run the below command from an elevated prompt
> certreq.exe -accept <certfile.cer>
Did that, got the error:
> certfile.cer has to be the name of the actual certificate you intend to use (NOT THE INTERMEDIATE)
I used 4111d11611d96.crt, not gd_iis_intermediates.p7b, the latter being the intermediate certificate (I assume). These were the only two files I received.
> If the request was made in IIS simply go to IIS and complete the request.
Not sure what you mean here. The request was made at goDaddy.com and downloaded to my SBS 2008. The certificate is for Exchange and TLS. I tried the Enable-Exchange-Certificat
I created it at goDaddy. When I requested the cert, it asked if I wanted to use a new CSR or the one for the existing certificate. I chose to use the one for the existing certificate. Note that I was not the one to create the original certificate 5 years ago, so I do not know how the then-administrator create the CSR.
> You can simply run the below command from an elevated prompt
> certreq.exe -accept <certfile.cer>
Did that, got the error:
> certfile.cer has to be the name of the actual certificate you intend to use (NOT THE INTERMEDIATE)I used 4111d11611d96.crt, not gd_iis_intermediates.p7b, the latter being the intermediate certificate (I assume). These were the only two files I received.
> If the request was made in IIS simply go to IIS and complete the request.
Not sure what you mean here. The request was made at goDaddy.com and downloaded to my SBS 2008. The certificate is for Exchange and TLS. I tried the Enable-Exchange-Certificat
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here are my results. Does this mean it worked? Should I now run Enable-ExchangeCertificate
[PS] C:\Windows\system32>certutil -repairstore my 71E5569BD8DCECD18C352A7515CC077BE6F6001C
my
================ Certificate 12 ================
Serial Number: 04111d11611d96
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O=GoDaddy.com, Inc., L=Scottsdale, S=Arizona, C=US
NotBefore: 8/14/2014 6:45 PM
NotAfter: 8/15/2015 1:49 PM
Subject: CN=mail.ohprs.org, OU=Domain Control Validated
Non-root Certificate
Cert Hash(sha1): 71 e5 56 9b d8 dc ec d1 8c 35 2a 75 15 cc 07 7b e6 f6 00 1c
Key Container = lr-286bce3b-bc8c-4b29-b60e-2b0d9a91640d
Unique container name: 41df97588fe14552e35b8ce159c5dc37_7897df12-6a14-415a-bd52-da8416a1268f
Provider = Microsoft Enhanced Cryptographic Provider v1.0
Encryption test passed
CertUtil: -repairstore command completed successfully.
Looks like that did it.
You can verify the certs in EMC in the root of Server Configuration - should see green ticks all the way
In SBS you might need to run "Fix my network" from the SBS Console - Network / Connectivity tab.. and reboot the Information store service(this should be planned).
You can verify the certs in EMC in the root of Server Configuration - should see green ticks all the way
In SBS you might need to run "Fix my network" from the SBS Console - Network / Connectivity tab.. and reboot the Information store service(this should be planned).
Yup you should be able to run the exchange command now.
Happy to help.
Happy to help.
ASKER
becraig: that did it, I was able to run Enable-Exchange-Certificat
I have another cert to install. Since your solution was so correct, do you know why I had this problem in the first place? Is there something I can do to avoid this situation with my next cert?
I have another cert to install. Since your solution was so correct, do you know why I had this problem in the first place? Is there something I can do to avoid this situation with my next cert?
ASKER
No theories?
You can simply run the below command from an elevated prompt
certreq.exe -accept <certfile.cer>
certfile.cer has to be the name of the actual certificate you intend to use (NOT THE INTERMEDIATE)
If the request was made in IIS simply go to IIS and complete the request.