How to replace Certificate on Exchange 2010

I have a valid certificate on my Exchange Server 2010.  Now I want to change the SAN (Subject Alter Names).  Because I forgot autodiscover.mydomain.com.
With the Certification Authority (certificatesforexchange.com / Starfield) it works fine. I have the new Cert. But how to import this in Exchange?
In the description (http://help.secureserver.net/article/5863?locale=en) I should start the action “Complete Pending Request”.  But there is no such action.

First try: I used “new Certificate” … after completed, I had “Complete Pending Request.” This goes thru with no errors. But nothing happens. The new Certificate is still in Pending mode.
I remove the newly imported Certificate with the MMC Certificate Snap-in. Otherwise the Second Try finished with failure, because Cert with Fingerprint already exists.

Second try: I used “Renewal Certificate” … after completed, I had “Complete Pending Request.” This goes thru with no errors. Same as on first try.
LVL 2
perolinAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Minecraft_ EndermanCommented:
Use the EMC to renew an Exchange certificate
1. In the console tree, click Server Configuration.
2. Select the server that contains the certificate, and then select the certificate you want to renew.
3. In the action pane, click Renew Exchange Certificate.
4. On the Renew Exchange Certificate page, select the services you want to assign to the renewed certificate. The services that are checked are currently assigned to the certificate.
5. When you click Assign, the Progress page will confirm your selections and try to renew the certificate.
6. Click Yes to overwrite the existing certificate with the renewed certificate.
7. The Completion page will display the status of the request in addition to the syntax of the cmdlet needed to renew the certificate.
More information:
https://technet.microsoft.com/en-us/library/ee332322%28v=exchg.141%29.aspx?f=255&MSPPError=-2147217396
0
perolinAuthor Commented:
Thanks - this is almost what I tried till know. But if I Renew the actual Certificate, there is no selection for Services, and no question about overwrite.

How bad is the idea to delete the actual working certificate? Why I must not pass the fingerprint for the changes to the certificate issuer?

Bildschirmfoto-2015-03-27-um-10.50.51.pn
0
Guy LidbetterCommented:
Hi perolin, Are you using an enterprise CA for internal certificates or are you self Signing them?

If you need to change the SAN, a complete replacement is what you need to do. But hold off deleting the old one until you have assigned services to the new Cert.

To generate the CSR, either do it via the console or run the below command

From the Exchange Management Shell command line, type the following:

New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, l=YourLocalityOrCity, s=YourStateOrProvince, o=YourCompanyInc, cn=YourFirstDomain.com" -DomainName YourSecondDomain.com, YourThirdDomain.com -PrivateKeyExportable:$true

Open in new window

This command should be entered into the management shell as one line. Make sure to replace the details listed in this sample command with the details of your own organization as explained above.

Notice that the first domain name is listed inside the "-SubjectName" after "cn=" and additional domain names are added after the -DomainName parameter with commas between the additional domain names. You can add as many additional domain names as necessary.

Your CSR file will be printed to the management shell after running this command. To copy it from the management shell, you will need to right click and choose "mark". You can now paste the entire contents of the file, including the BEGIN and END tags to the DigiCert online order form when prompted.

If you want to create a CSR file automatically on your machine after running the CSR creation command, run the following line immediately after generating the file
Set-Content -path "C:\your_CSR_name.csr" -Value $Data

Submit the CSR to a CA as normal and when issued the certificate, copy it to the personal store of ALL exchange servers.

Then use this link to assign the cert to the exchange roles

https://technet.microsoft.com/en-GB/library/dd351257%28v=exchg.141%29.aspx
0
perolinAuthor Commented:
Problem Solved:
I had to Re-Key my certificate at the Certification external Issuer.
1. Request for new Certificate on Exchange Server with all subdomains
2. Re-Key the existing valid Certificate with the new Fingerprint
3. Download and install Certificate, assign Services
finish.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
perolinAuthor Commented:
Solved with assistance from https://certs.secureserver.net
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.