Attempting to import new SSL Certificate for Exchange 2010

I am attempting to install a new certificate on an Exchange 2010 server.  Our current certificate expires today.  

I previously tried to import the certificate and some how messed up so I started over but now I am getting an error "Cannot Import Certificate. A certificate with the thumbprint XXXX already exists."  

I have checked the certificate store and deleted it but it is still showing this error.  Searching on here I attempted to run the command remove-exchangecertificate -thumbprint XXX .  But getting an error that the PrivateKeyMissing.

Any ideas?
Philip CyrAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Create a new SSL request. Don't try and use an old one.
Are you using a trusted certificate or trying to use a self signed one?

If you are bringing in a certificate from another server, export it again, including the full path and the private key.

Simon.
Philip CyrAuthor Commented:
I am trying to use one from GoDaddy which was the previous SSL cert.

One issue I am having is our public domain is managed by our old IT provider through GoDaddy so I have to contact them to make any requests we are working on migrating the management to an account our company owns.  

I created a new certificate request which generated a .req file but they told me GoDaddy doesn't support .req files and it needs to be a .txt file but I can't see how to save it as a .txt file.  They ended up renewing one on Godaddy without the CSR file.
Hypercat (Deb)Commented:
If you still need to use the req file, all you need to do is change the extension.  It's really just a .txt file with a different extension, so changing the extension will not change the contents of the file.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Simon Butler (Sembee)ConsultantCommented:
I run the biggest SSL reseller site on the GoDaddy platform, so know what you have been told is complete garbage.

The GoDaddy system has a web page, where you past the text. The .req file can be opened in notepad. Either someone doesn't know that or is too lazy. Therefore you can just rename the req file if they insist on the file being sent to you that way.

Therefore generate a new request, then get them to rekey the certificate (which is free) and tell them to send you the result. You can then import that response, along with the updated intermediate certificates.

Simon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Philip CyrAuthor Commented:
Simon,

I am assuming its ignorance.  I sent them a new CSR with the .txt file and I am waiting on a response.
Philip CyrAuthor Commented:
I am still waiting on a response from the IT provider that has control over our domain.  Are there any alternatives to getting this to work?  I already have a new SSL certificate but when trying to import it I get the thumbprint error as I previously imported it and some how messed it up.

My concern is that the old certificate expires today and tomorrow everyone is going to be asking about the error message they are getting on their Outlook and phones.
Simon Butler (Sembee)ConsultantCommented:
You don't have a matching pair, so no there isn't.
An SSL request is a request and a response. Because an older Certificate Request was used, the request is no longer valid - hence the error.

Simon.
Philip CyrAuthor Commented:
OK finally got off the phone with the company managing our domain.  Was able to complete the certificate update. Simon thank you for your help.
Philip CyrAuthor Commented:
OK looks like a new problem has showed up.  When opening Outlook while connected to the LAN I get a security alert stating "ExchangeHostname.domain.local - the name on the security certificate is invalid or does not match the name of the site"

Looking up the Details of the SSL certificate on our Exchange server only the below names are listed on the Subject Alternative Name:

DNS Name=webmail.domain.com
DNS Name=www.webmail.domain.com
DNS Name=domain.com
DNS Name=autodiscover.domain.com

I am assuming the error is that our Autodiscover record is now missing ExchangeHostname.domain.local, is there a way to change where autodiscover is looking that will match the SSL certificate or should I just reissue the certificate to cover the ExchangeHostname.domain.local ?
Simon Butler (Sembee)ConsultantCommented:
You cannot include internal names on SSL certificates any longer.
You will need to setup a split DNS and reconfigure Exchange to use your external host name internally.
http://semb.ee/hostnames2010

Simon.
Philip CyrAuthor Commented:
Simon,

I looked over your document link but had a few more questions I was wondering if you could answer.

On the "Client Access URL" section, I am able to locate OWA, Microsoft-Server-ActiveSync, OAB, and ECP  but can't seem to find the "Properties" section of each?

Do I need to setup a split DNS if our internal domain is a .local address and our external domain is a .com?

Under the "Autodiscover URL" and "Web Services URL" section are these steps in addition to the previous ones or instead of  using the GUI?
Simon Butler (Sembee)ConsultantCommented:
You cannot use the GUI to configure all of the URLs within Exchange, hence the use of EMS, or the script that is on that same web page.
You need a split DNS in any configuration, so that the external host name resolves internally.
I cannot answer why you cannot see the properties of the virtual directories, that is not something I have seen before. I have seen it where you cannot see any of the configuration - that is a permissions issue, but not selective.

Simon.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.