Solved

Exchange 2010 Certificate Renewal on 2nd CAS server

Posted on 2015-02-20
9
293 Views
Last Modified: 2015-02-20
We have recently renewed our GoDaddy UCC SSL certificate.  We have 2 CAS servers in the environment.  Previous certs had same thumbprint.  Went through renewal process on primary exchange server, with no issue.  While renewing on second CAS server (with same cert file), I went and selected the renew cert, selected the issued certificate and completed the process.  However, the status is still in a pending state.  I noticed the thumbprint is different on this cert than on the 1st CAS server.  Previously certs both had the same thumbprint on both CAS servers.  
Are there different steps to configure on the 2nd CAS server in order to complete the pending request?

Thank you
0
Comment
Question by:trinity2007
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Don't renew on the second server.

On the first server export the certificate and then import it to the second server.

Simon.
0
 
LVL 18

Expert Comment

by:Peter Hutchison
Comment Utility
Make sure the export includes the private certificate as well (it must be marked as exportable for this to work), and save as a PFX file. The PFX file can be copied to the 2nd server and imported using the Certificates mmc.
0
 

Author Comment

by:trinity2007
Comment Utility
I removed that request (on the 2nd sever), exported from the 1st server (as pfx) and imported  on 2nd server.  During import message stated that cert with the thumbprint -----------------  already exists.  When I check the certificates installed (on the 2nd server) through EMC and shell command I don't see that cert with the -------------------- thumbprint.  Only the one that is expiring.
Thanks
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
When you created the certificate on the first server, did you use a NEW certificate request, or did you reuse an old one? If the later you need to do the former.

Simon.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
On the second Exchange server what do you see what you type Get-ExchangeCertificate | ft?

When you open the MMC for Certificate Services (local computer) what do you see in the Personal Store on that second Exchange server?

Will.
0
 

Author Comment

by:trinity2007
Comment Utility
On the first server I did a renew, exported the CSR, uploaded to GoDaddy, and picked up the new cert from GoDaddy, completed the pending request.  I thought I would be able to do the same on the 2nd server.  I'm new to Exchange 2010 and having 2 CAS servers, so I'm not expert level at this.
0
 

Author Comment

by:trinity2007
Comment Utility
Exchange Shell command: On the 2nd server I see the previous cert thumbprint along with the CA Root Cert for the exchange server itself.  
In the Certificates Personal Store I do see the new cert listed as well as the previous cert.
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
Comment Utility
Yeah it is pretty straight forward, once you have enabled the cert on the first CAS server
- export the cert (with private key)
- Use the MMC to import the cert into the local computer Personal Store
- Open EMS
- Run the command Enable-ExchangeCertificate -Thumbprint -Services "pop,imap,smtp,iis"

It will prompt you that this will now be the primary cert for Exchange services click Y to complete the process.

Remove the old cert once this has been tested using the remove-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxx

Will.
0
 

Author Comment

by:trinity2007
Comment Utility
Perfect...works..Thank you very much!!!!
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Easy CSR creation in Exchange 2007,2010 and 2013
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now