browningit
asked on
Exchange 2013 SSL certificates / UCC / external provider set up
Hi all. I've got a complicated situation in which I am trying to cut some costs on (and thus implement what some would say is a slight bad practice). This issue has multiple parts.
I recently did an exchange 2010 -> 2013 migration. During that migration, I tried to download the GoDaddy UCC and import it into the Exchange 2013 ECP. Each time I tried to import it, the process would finish but it would not show up in the list of available certificates.
Diving into MMC, I could see that the recently imported cert was there, but since Exchange couldn't see it - that was useless to me. I worked around my issue by exporting the EX2010 certificate and importing that into Exchange 2013 (knowing that at some point in the near future I would have to do a new CSR and upload that to Godaddy etc.). I saved myself the step at the time.
I've got two external web hosts that do white label service (XXXX.domain.com -> a web portal at an external host). The first one, I just emailed the chain and Godaddy key and they set up the SSL cert. All is working fine.
This second party is giving me issues. I sent them the same data (.crt and the chain cert .p7b). They came back asking me to put it in pfx format (which I did for them using a tool from GitHub). During their import on IIS 8.5, it's claiming that the certificate does not include the private key. Well, no kidding right?
So my question is: How do I work with them on this? I consider it truly a bad idea to export my private key from the Ex2013 server (assuming that I have done what I spoke about re: CSR and new cert download from GoDaddy) and send it to someone else. Kinda defeats the point of the cert / trust yes? Further, how was the other party able to complete it when this fellow is having issues? Is there some advice I can lend them, or do I need to do something more?
If I'm indeed having a senior/blond moment, feel free to make fun of me endlessly. It's 5pm local time, I've been going since 5am.
Cheers!
I recently did an exchange 2010 -> 2013 migration. During that migration, I tried to download the GoDaddy UCC and import it into the Exchange 2013 ECP. Each time I tried to import it, the process would finish but it would not show up in the list of available certificates.
Diving into MMC, I could see that the recently imported cert was there, but since Exchange couldn't see it - that was useless to me. I worked around my issue by exporting the EX2010 certificate and importing that into Exchange 2013 (knowing that at some point in the near future I would have to do a new CSR and upload that to Godaddy etc.). I saved myself the step at the time.
I've got two external web hosts that do white label service (XXXX.domain.com -> a web portal at an external host). The first one, I just emailed the chain and Godaddy key and they set up the SSL cert. All is working fine.
This second party is giving me issues. I sent them the same data (.crt and the chain cert .p7b). They came back asking me to put it in pfx format (which I did for them using a tool from GitHub). During their import on IIS 8.5, it's claiming that the certificate does not include the private key. Well, no kidding right?
So my question is: How do I work with them on this? I consider it truly a bad idea to export my private key from the Ex2013 server (assuming that I have done what I spoke about re: CSR and new cert download from GoDaddy) and send it to someone else. Kinda defeats the point of the cert / trust yes? Further, how was the other party able to complete it when this fellow is having issues? Is there some advice I can lend them, or do I need to do something more?
If I'm indeed having a senior/blond moment, feel free to make fun of me endlessly. It's 5pm local time, I've been going since 5am.
Cheers!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Other party in the situation described was required to provide more details. It was pure guessing on my side; and the advice was useful but couldn't be tested thoroughly.
Godaddy doesn't send a response completion file like they're supposed to, so you can't "complete" a certificate request in IIS or ECP using the stuff they send you. You just have to install the .crt file into the correct store.