rstuemke
asked on
Cannot Get GoDaddy SSL Certificate Loaded Into Exchange 2010 - HELP!!
Hello, I have had GodDaddy SSL certificates for our Exchange 2010 Server for several years. Have renewed, rekeyed, downloaded and installed them with no problems..... ever. However, this year is different.... Here is what I did...
Generated a new CSR from Exchange Management Console > NEW EXCHANGE CERTIFICATE
Copied the CSR and pasted into the box at GoDaddy for the new CSR, saved it and submitted it for re-issued
Received the email that the cert was reissued.
Downloaded the zip file.
Extracted files
Imported the intermediate cert using the Certificates MMC, just like always.
Then when to EMC to find the new cert (looked for PENDING) cert to COMPLETE PENDING REQUEST
Now this is the part where it gets all hosed up...... there is no new cert in the Exchange Certificate window of the EMC
??????
I have walked thru the procedure twice with GoDaddy reps on a Chat Request and they have not been able to help. They tell me to contact Microsoft, which is a worthless effort. So, I need some help. Like I said, I have done this numerous times with no problems
Either I am doing something wrong or else a problem exists somewhere. Please advise. Thanks in advance.
Generated a new CSR from Exchange Management Console > NEW EXCHANGE CERTIFICATE
Copied the CSR and pasted into the box at GoDaddy for the new CSR, saved it and submitted it for re-issued
Received the email that the cert was reissued.
Downloaded the zip file.
Extracted files
Imported the intermediate cert using the Certificates MMC, just like always.
Then when to EMC to find the new cert (looked for PENDING) cert to COMPLETE PENDING REQUEST
Now this is the part where it gets all hosed up...... there is no new cert in the Exchange Certificate window of the EMC
??????
I have walked thru the procedure twice with GoDaddy reps on a Chat Request and they have not been able to help. They tell me to contact Microsoft, which is a worthless effort. So, I need some help. Like I said, I have done this numerous times with no problems
Either I am doing something wrong or else a problem exists somewhere. Please advise. Thanks in advance.
ASKER
Did the command. The only cert showing is the live, current one.
Now.... just a follow-up. I may have done something wrong. When I did the NEW exchange certificate an entry shows up in the Exchange Certificate windows pending completion. I removed that one. Should I have done that?
Now.... just a follow-up. I may have done something wrong. When I did the NEW exchange certificate an entry shows up in the Exchange Certificate windows pending completion. I removed that one. Should I have done that?
ASKER
Seems like I removed them before, since they are not issued by GoDaddy.
This whole problem is a bit bizarre since have never had problems in the past.....
This whole problem is a bit bizarre since have never had problems in the past.....
I think you can get around this pretty simply.
First, open the Certificates management console and import the new SSL certificate into the Personal store.
Then, open the Exchange Powershell window and issue the following commands:
Import-ExchangeCertificate
Substitute the path to your certificate in the Path statement and the actual password for the word "password."
Then enable the certificate for the Exchange services:
Enable-ExchangeCertificate
First, open the Certificates management console and import the new SSL certificate into the Personal store.
Then, open the Exchange Powershell window and issue the following commands:
Import-ExchangeCertificate
Substitute the path to your certificate in the Path statement and the actual password for the word "password."
Then enable the certificate for the Exchange services:
Enable-ExchangeCertificate
ASKER
A couple of questions.....
Is this exporting to the .pfx file, since I do not have one now?
what password goes in here? I have no password on my cert that I know of.....
where do I get the thumbprint?
Pardon my ignorance, have used the pretty standard procedure in the past so not familiar with these commands.
Is this exporting to the .pfx file, since I do not have one now?
what password goes in here? I have no password on my cert that I know of.....
where do I get the thumbprint?
Pardon my ignorance, have used the pretty standard procedure in the past so not familiar with these commands.
ASKER
Got thumbprint from cert in personal store.... correct?
ASKER
Actually go it from GoDaddy Cert G2, so that is probably incorrect
Yes - you can get it by double-clicking on the cert in the Personal Store (after importing it of course), on the Details tab.
You will see the correct thumbprint using this command:
Get-ExchangeCertificate | fl
Here are the steps from GoDaddy.
https://www.godaddy.com/help/exchange-server-2010-install-a-certificate-5863
Then enable the certificate with the services you need...not necessarily all of them.
Get-ExchangeCertificate | fl
Here are the steps from GoDaddy.
https://www.godaddy.com/help/exchange-server-2010-install-a-certificate-5863
Then enable the certificate with the services you need...not necessarily all of them.
Sorry - missed your other question. You should have a cert with a private key, regardless of the actual extension that shows on the file you import. Change the file extension to "pfx" if it isn't. If you created the request from Exchange, it may not require a password. You can tell if you have a private key when you import the certificate into the Personal store, the icon should have a little key symbol on it. Also, if you open it to look at the cert (and to get the thumbprint), you should see at the bottom of the general tab that it says: "You have a private key that corresponds to this certificate." If not, you may have a problem applying it to Exchange, since I'm pretty sure that it is required.
ASKER
I copied the .crt file and changed the copy name to a .pfx file. Ran this command:
Import-ExchangeCertificate
Here is the result.
[PS] C:\>Import-ExchangeCertifi
calvaryspringfield.org\431
Cannot import certificate. A certificate with the thumbprint 5703FC8C555950A019431DAC3A
+ CategoryInfo : WriteError: (:) [Import-ExchangeCertificat
+ FullyQualifiedErrorId : AA29D393,Microsoft.Exchang
e
+ PSComputerName : 1730w436qps1.calvaryspring
Thumbprint of current cert imported last year into the personal store
db 50 f9 c2 c4 a9 89 c0 c2 da d9 31 ee ec 28 8b af 39 29 68
Thumbprint of new cert I imported into the Personal Store
57 03 fc 8c 55 59 50 a0 19 43 1d ac 3a 58 67 80 19 dc a7 43
Should I just enable this new one using the new thumbprint??? Please advise. Thanks.
Import-ExchangeCertificate
Here is the result.
[PS] C:\>Import-ExchangeCertifi
calvaryspringfield.org\431
Cannot import certificate. A certificate with the thumbprint 5703FC8C555950A019431DAC3A
+ CategoryInfo : WriteError: (:) [Import-ExchangeCertificat
+ FullyQualifiedErrorId : AA29D393,Microsoft.Exchang
e
+ PSComputerName : 1730w436qps1.calvaryspring
Thumbprint of current cert imported last year into the personal store
db 50 f9 c2 c4 a9 89 c0 c2 da d9 31 ee ec 28 8b af 39 29 68
Thumbprint of new cert I imported into the Personal Store
57 03 fc 8c 55 59 50 a0 19 43 1d ac 3a 58 67 80 19 dc a7 43
Should I just enable this new one using the new thumbprint??? Please advise. Thanks.
If it says it already exists, check your Certificates/Personal store and verify that it's there. If it's there and shows NO private key, then delete it and re-import it. If it's there and shows a private key already present, then try just enabling it for the Exchange services.
ASKER
Ok, I sorry for the delay.... was on a project last week..... so I looked at the details of the cert. Saw nothing about a private key. Deleted it and re-imported again into the Personal Store. Still saw nothing about a private key. when I look at it in the Certificate MMC, there is no key sign on the cert in the personal store. Stuck again.....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ran the cerutil -repairstore my "xxxxxxxxx" command a got a private assigned. So far so good.
Then assigned services and replaced it. Still good.
The only thing is this cert does not have a friendly name. It is blank. Does that matter?
It looks good, except for the friendly name.
Then assigned services and replaced it. Still good.
The only thing is this cert does not have a friendly name. It is blank. Does that matter?
It looks good, except for the friendly name.
Yes, the one I had the problem with did the same thing. I don't know why but it works perfectly fine. The friendly name is just a label and doesn't affect the function of the certificate itself.
You don't have to worry about the friendly name.
ASKER
Thanks for you willingness to help. Problems fixed.
Get-ExchangeCertificate | fl
See what you have out there.
If you have any "Pending" get rid of them with a Remove-ExchangeCertificate
https://technet.microsoft.com/en-us/library/aa997569(v=exchg.160).aspx
I've seen it where the EMC doesn't show exactly what the PS Command window shows.