Exchange 2010 Certificate
I have an Exchange 2010 environment that is using a GoDaddy issued UCC SSL certificate. I need to add an additional SAN to the certificate which I can do on the GD site then re-key. My question is on the csr side. Do I need to use the Exchange mmc to create a new csr or can I use the IIS mmc? I started the wizard using the Exchange mmc but stopped when asked about the services. What exactly do I need to select here? It is a bit confusing seeing as Exchange is treating it like a new cert and GD seems like they are simply re-issuing the cert with the new SAN.
Can someone explain exactly where I need to do the csr from and what information I need to include in this scenario?
Thanks
Can someone explain exactly where I need to do the csr from and what information I need to include in this scenario?
Thanks
Use this to generate the CSR command to rekey your certificate with new SANs
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f
ASKER
Ok so I was able to create the csr using the above tool. I have added the SAN, re-keyed the cert, downloaded, installed and assigned services.
I now need to assign the cert to my other two servers. I have exported the cert to .pfx file. I was able to import to my other exchange 2010 server using the MMC. I did recieve an warning about ssl on the root domain but found a enable-exchangecertificate
'The imported certificate file for server aaabbbccc failed to access for the following reason: Could not find file '\\aaa\bbb\newcertexp.pfx'
I am able to unc to the file location with no problems. I then decided to use powershell and ran the following command:
Import-ExchangeCertificate
When I run the above command i receive the error:
Get-Content : Cannot find path 'C:\SSL\new_cert_export\ne
At line:1 char:49
+ Import-ExchangeCertificate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\SSL\new_cert_export\ne
+ FullyQualifiedErrorId : PathNotFound,Microsoft.Pow
Cannot bind argument to parameter 'FileData' because it is null.
+ CategoryInfo : InvalidData: (:) [Import-ExchangeCertificat
+ FullyQualifiedErrorId : ParameterArgumentValidatio
+ PSComputerName : aaa.bbb.com
Please advise
I now need to assign the cert to my other two servers. I have exported the cert to .pfx file. I was able to import to my other exchange 2010 server using the MMC. I did recieve an warning about ssl on the root domain but found a enable-exchangecertificate
'The imported certificate file for server aaabbbccc failed to access for the following reason: Could not find file '\\aaa\bbb\newcertexp.pfx'
I am able to unc to the file location with no problems. I then decided to use powershell and ran the following command:
Import-ExchangeCertificate
When I run the above command i receive the error:
Get-Content : Cannot find path 'C:\SSL\new_cert_export\ne
At line:1 char:49
+ Import-ExchangeCertificate
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\SSL\new_cert_export\ne
+ FullyQualifiedErrorId : PathNotFound,Microsoft.Pow
Cannot bind argument to parameter 'FileData' because it is null.
+ CategoryInfo : InvalidData: (:) [Import-ExchangeCertificat
+ FullyQualifiedErrorId : ParameterArgumentValidatio
+ PSComputerName : aaa.bbb.com
Please advise
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you using Exchange UCC SSL cert it is ssl cert where you have multiple FDQN names. Minimaly autodiscover.domain.com and FDQN of exchange example mail.domain.com public and same both if you localy have domain.local Based on services you tick. Becouse exchange is scale able is normal that biger company have evry service like smtp on another server so they need to setup them. But basicly if have only one server tick everything without unified comunication to create new crs.
IIS can only create eildcard *.domain.com or single domain like mail.domain.com
But for your scenariou you can simple ask suport to add or remove or change It for you without need new CRS becouse PK and public key will remain same. And then import it back and use asign servicies option.