Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 350
  • Last Modified:

Exchange 2010 Certificate Renewal on 2nd CAS server

We have recently renewed our GoDaddy UCC SSL certificate.  We have 2 CAS servers in the environment.  Previous certs had same thumbprint.  Went through renewal process on primary exchange server, with no issue.  While renewing on second CAS server (with same cert file), I went and selected the renew cert, selected the issued certificate and completed the process.  However, the status is still in a pending state.  I noticed the thumbprint is different on this cert than on the 1st CAS server.  Previously certs both had the same thumbprint on both CAS servers.  
Are there different steps to configure on the 2nd CAS server in order to complete the pending request?

Thank you
0
trinity2007
Asked:
trinity2007
  • 4
  • 2
  • 2
  • +1
1 Solution
 
Simon Butler (Sembee)ConsultantCommented:
Don't renew on the second server.

On the first server export the certificate and then import it to the second server.

Simon.
0
 
Peter HutchisonSenior Network Systems SpecialistCommented:
Make sure the export includes the private certificate as well (it must be marked as exportable for this to work), and save as a PFX file. The PFX file can be copied to the 2nd server and imported using the Certificates mmc.
0
 
trinity2007Author Commented:
I removed that request (on the 2nd sever), exported from the 1st server (as pfx) and imported  on 2nd server.  During import message stated that cert with the thumbprint -----------------  already exists.  When I check the certificates installed (on the 2nd server) through EMC and shell command I don't see that cert with the -------------------- thumbprint.  Only the one that is expiring.
Thanks
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Simon Butler (Sembee)ConsultantCommented:
When you created the certificate on the first server, did you use a NEW certificate request, or did you reuse an old one? If the later you need to do the former.

Simon.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
On the second Exchange server what do you see what you type Get-ExchangeCertificate | ft?

When you open the MMC for Certificate Services (local computer) what do you see in the Personal Store on that second Exchange server?

Will.
0
 
trinity2007Author Commented:
On the first server I did a renew, exported the CSR, uploaded to GoDaddy, and picked up the new cert from GoDaddy, completed the pending request.  I thought I would be able to do the same on the 2nd server.  I'm new to Exchange 2010 and having 2 CAS servers, so I'm not expert level at this.
0
 
trinity2007Author Commented:
Exchange Shell command: On the 2nd server I see the previous cert thumbprint along with the CA Root Cert for the exchange server itself.  
In the Certificates Personal Store I do see the new cert listed as well as the previous cert.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Yeah it is pretty straight forward, once you have enabled the cert on the first CAS server
- export the cert (with private key)
- Use the MMC to import the cert into the local computer Personal Store
- Open EMS
- Run the command Enable-ExchangeCertificate -Thumbprint -Services "pop,imap,smtp,iis"

It will prompt you that this will now be the primary cert for Exchange services click Y to complete the process.

Remove the old cert once this has been tested using the remove-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxx

Will.
0
 
trinity2007Author Commented:
Perfect...works..Thank you very much!!!!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now