We help IT Professionals succeed at work.

Attempting to import new SSL Certificate for Exchange 2010

Philip Cyr
Philip Cyr asked
on
I am attempting to install a new certificate on an Exchange 2010 server.  Our current certificate expires today.  

I previously tried to import the certificate and some how messed up so I started over but now I am getting an error "Cannot Import Certificate. A certificate with the thumbprint XXXX already exists."  

I have checked the certificate store and deleted it but it is still showing this error.  Searching on here I attempted to run the command remove-exchangecertificate -thumbprint XXX .  But getting an error that the PrivateKeyMissing.

Any ideas?
Comment
Watch Question

Most Valuable Expert 2014

Commented:
Create a new SSL request. Don't try and use an old one.
Are you using a trusted certificate or trying to use a self signed one?

If you are bringing in a certificate from another server, export it again, including the full path and the private key.

Simon.

Author

Commented:
I am trying to use one from GoDaddy which was the previous SSL cert.

One issue I am having is our public domain is managed by our old IT provider through GoDaddy so I have to contact them to make any requests we are working on migrating the management to an account our company owns.  

I created a new certificate request which generated a .req file but they told me GoDaddy doesn't support .req files and it needs to be a .txt file but I can't see how to save it as a .txt file.  They ended up renewing one on Godaddy without the CSR file.
If you still need to use the req file, all you need to do is change the extension.  It's really just a .txt file with a different extension, so changing the extension will not change the contents of the file.
Most Valuable Expert 2014
Commented:
I run the biggest SSL reseller site on the GoDaddy platform, so know what you have been told is complete garbage.

The GoDaddy system has a web page, where you past the text. The .req file can be opened in notepad. Either someone doesn't know that or is too lazy. Therefore you can just rename the req file if they insist on the file being sent to you that way.

Therefore generate a new request, then get them to rekey the certificate (which is free) and tell them to send you the result. You can then import that response, along with the updated intermediate certificates.

Simon.

Author

Commented:
Simon,

I am assuming its ignorance.  I sent them a new CSR with the .txt file and I am waiting on a response.

Author

Commented:
I am still waiting on a response from the IT provider that has control over our domain.  Are there any alternatives to getting this to work?  I already have a new SSL certificate but when trying to import it I get the thumbprint error as I previously imported it and some how messed it up.

My concern is that the old certificate expires today and tomorrow everyone is going to be asking about the error message they are getting on their Outlook and phones.
Most Valuable Expert 2014

Commented:
You don't have a matching pair, so no there isn't.
An SSL request is a request and a response. Because an older Certificate Request was used, the request is no longer valid - hence the error.

Simon.

Author

Commented:
OK finally got off the phone with the company managing our domain.  Was able to complete the certificate update. Simon thank you for your help.

Author

Commented:
OK looks like a new problem has showed up.  When opening Outlook while connected to the LAN I get a security alert stating "ExchangeHostname.domain.local - the name on the security certificate is invalid or does not match the name of the site"

Looking up the Details of the SSL certificate on our Exchange server only the below names are listed on the Subject Alternative Name:

DNS Name=webmail.domain.com
DNS Name=www.webmail.domain.com
DNS Name=domain.com
DNS Name=autodiscover.domain.com

I am assuming the error is that our Autodiscover record is now missing ExchangeHostname.domain.local, is there a way to change where autodiscover is looking that will match the SSL certificate or should I just reissue the certificate to cover the ExchangeHostname.domain.local ?
Most Valuable Expert 2014

Commented:
You cannot include internal names on SSL certificates any longer.
You will need to setup a split DNS and reconfigure Exchange to use your external host name internally.
http://semb.ee/hostnames2010

Simon.

Author

Commented:
Simon,

I looked over your document link but had a few more questions I was wondering if you could answer.

On the "Client Access URL" section, I am able to locate OWA, Microsoft-Server-ActiveSync, OAB, and ECP  but can't seem to find the "Properties" section of each?

Do I need to setup a split DNS if our internal domain is a .local address and our external domain is a .com?

Under the "Autodiscover URL" and "Web Services URL" section are these steps in addition to the previous ones or instead of  using the GUI?
Most Valuable Expert 2014

Commented:
You cannot use the GUI to configure all of the URLs within Exchange, hence the use of EMS, or the script that is on that same web page.
You need a split DNS in any configuration, so that the external host name resolves internally.
I cannot answer why you cannot see the properties of the virtual directories, that is not something I have seen before. I have seen it where you cannot see any of the configuration - that is a permissions issue, but not selective.

Simon.