jkeegan123
asked on
Import Certificate into EXCHANGE 2010 without a corresponding private key?
Hello,
I have a functioning Exchange 2010 system with a SAN/UCC certificate provided by GoDaddy. Recently, we had to add a SAN and remove a SAN, and GoDaddy allows this to happen in the Certificate Management Console at the customer interface WITHOUT requiring a new CSR to get the new SAN's in place. DIGICERT, REGISTER.COM and others allows for this type of SAN maintenance as well.
Once the SAN's are updated and approved and I download the new CRT/CRT file, I am able to import the CRT/CER file into the Windows Certificate management console (mmc --> add/remove snapin --> certificates --> this computer) but I am NOT able to import it into the Exchange System Manager because the Exchange System Manager import utility REQUIRES a password for the certificate being imported. (This would be expected if the file was a PFX export that included a PRIVATE KEY from another system).
Once imported, because the certificate does not have a corresponding private key, it is unable to be assigned to anything like IIS websites or Exchange services (it does not appear for use). Certificates ONLY appear for use if they are imported with a proper private key.
I'd like to avoid going through the entire CSR process again through the Exchange console since I just added and removed a SAN from the cert, this is not a renewal or a completely new key....is there any way to use this CER/CRT file in the Exchange system and assign it for use without doing a completely new CSR from powershell or from the Exchange MMC wizard?
I have a functioning Exchange 2010 system with a SAN/UCC certificate provided by GoDaddy. Recently, we had to add a SAN and remove a SAN, and GoDaddy allows this to happen in the Certificate Management Console at the customer interface WITHOUT requiring a new CSR to get the new SAN's in place. DIGICERT, REGISTER.COM and others allows for this type of SAN maintenance as well.
Once the SAN's are updated and approved and I download the new CRT/CRT file, I am able to import the CRT/CER file into the Windows Certificate management console (mmc --> add/remove snapin --> certificates --> this computer) but I am NOT able to import it into the Exchange System Manager because the Exchange System Manager import utility REQUIRES a password for the certificate being imported. (This would be expected if the file was a PFX export that included a PRIVATE KEY from another system).
Once imported, because the certificate does not have a corresponding private key, it is unable to be assigned to anything like IIS websites or Exchange services (it does not appear for use). Certificates ONLY appear for use if they are imported with a proper private key.
I'd like to avoid going through the entire CSR process again through the Exchange console since I just added and removed a SAN from the cert, this is not a renewal or a completely new key....is there any way to use this CER/CRT file in the Exchange system and assign it for use without doing a completely new CSR from powershell or from the Exchange MMC wizard?
You don't have to go through the CSR process again.
Create a new certificate request, then on the GoDaddy system choose Rekey. A new certificate should be issued to you immediately, so that you can download it and install it to the pending request.
While the SSL systems allow you to reissue the certificate, that is only of use to you if you still have the corresponding pending request. You don't in this case, so you cannot use that method. Without a private key, the SSL system would be useless - you could just download a certificate from your bank and setup a phishing site.
Simon.
Create a new certificate request, then on the GoDaddy system choose Rekey. A new certificate should be issued to you immediately, so that you can download it and install it to the pending request.
While the SSL systems allow you to reissue the certificate, that is only of use to you if you still have the corresponding pending request. You don't in this case, so you cannot use that method. Without a private key, the SSL system would be useless - you could just download a certificate from your bank and setup a phishing site.
Simon.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Offered solutions were incomplete at resolving the stated issue. My solution was comprehensive and listed ALL steps taken to resolve the listed issue.
No you have to import the cer/crt file into the original server where the CSR was generated. The correct way is to export the cert (with the private key) and then import this into the other Exchange servers in your environment.
You will then need to enable the cert on the Exchange server using Enable-ExchangeCertificate
Will.