How to replace Certificate on Exchange 2010

I have a valid certificate on my Exchange Server 2010.  Now I want to change the SAN (Subject Alter Names).  Because I forgot autodiscover.mydomain.com.
With the Certification Authority (certificatesforexchange.com / Starfield) it works fine. I have the new Cert. But how to import this in Exchange?
In the description (http://help.secureserver.net/article/5863?locale=en) I should start the action “Complete Pending Request”.  But there is no such action.

First try: I used “new Certificate” … after completed, I had “Complete Pending Request.” This goes thru with no errors. But nothing happens. The new Certificate is still in Pending mode.
I remove the newly imported Certificate with the MMC Certificate Snap-in. Otherwise the Second Try finished with failure, because Cert with Fingerprint already exists.

Second try: I used “Renewal Certificate” … after completed, I had “Complete Pending Request.” This goes thru with no errors. Same as on first try.
LVL 2
perolinAsked:
Who is Participating?
 
perolinAuthor Commented:
Problem Solved:
I had to Re-Key my certificate at the Certification external Issuer.
1. Request for new Certificate on Exchange Server with all subdomains
2. Re-Key the existing valid Certificate with the new Fingerprint
3. Download and install Certificate, assign Services
finish.
0
 
Minecraft_ EndermanCommented:
Use the EMC to renew an Exchange certificate
1. In the console tree, click Server Configuration.
2. Select the server that contains the certificate, and then select the certificate you want to renew.
3. In the action pane, click Renew Exchange Certificate.
4. On the Renew Exchange Certificate page, select the services you want to assign to the renewed certificate. The services that are checked are currently assigned to the certificate.
5. When you click Assign, the Progress page will confirm your selections and try to renew the certificate.
6. Click Yes to overwrite the existing certificate with the renewed certificate.
7. The Completion page will display the status of the request in addition to the syntax of the cmdlet needed to renew the certificate.
More information:
https://technet.microsoft.com/en-us/library/ee332322%28v=exchg.141%29.aspx?f=255&MSPPError=-2147217396
0
 
perolinAuthor Commented:
Thanks - this is almost what I tried till know. But if I Renew the actual Certificate, there is no selection for Services, and no question about overwrite.

How bad is the idea to delete the actual working certificate? Why I must not pass the fingerprint for the changes to the certificate issuer?

Bildschirmfoto-2015-03-27-um-10.50.51.pn
0
 
Guy LidbetterCommented:
Hi perolin, Are you using an enterprise CA for internal certificates or are you self Signing them?

If you need to change the SAN, a complete replacement is what you need to do. But hold off deleting the old one until you have assigned services to the new Cert.

To generate the CSR, either do it via the console or run the below command

From the Exchange Management Shell command line, type the following:

New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, l=YourLocalityOrCity, s=YourStateOrProvince, o=YourCompanyInc, cn=YourFirstDomain.com" -DomainName YourSecondDomain.com, YourThirdDomain.com -PrivateKeyExportable:$true

Open in new window

This command should be entered into the management shell as one line. Make sure to replace the details listed in this sample command with the details of your own organization as explained above.

Notice that the first domain name is listed inside the "-SubjectName" after "cn=" and additional domain names are added after the -DomainName parameter with commas between the additional domain names. You can add as many additional domain names as necessary.

Your CSR file will be printed to the management shell after running this command. To copy it from the management shell, you will need to right click and choose "mark". You can now paste the entire contents of the file, including the BEGIN and END tags to the DigiCert online order form when prompted.

If you want to create a CSR file automatically on your machine after running the CSR creation command, run the following line immediately after generating the file
Set-Content -path "C:\your_CSR_name.csr" -Value $Data

Submit the CSR to a CA as normal and when issued the certificate, copy it to the personal store of ALL exchange servers.

Then use this link to assign the cert to the exchange roles

https://technet.microsoft.com/en-GB/library/dd351257%28v=exchg.141%29.aspx
0
 
perolinAuthor Commented:
Solved with assistance from https://certs.secureserver.net
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.