Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Exchange 2013 SSL certificates / UCC / external provider set up

Posted on 2016-10-24
Medium Priority
Last Modified: 2016-11-02
Hi all.  I've got a complicated situation in which I am trying to cut some costs on (and thus implement what some would say is a slight bad practice).  This issue has multiple parts.

I recently did an exchange 2010 -> 2013 migration.  During that migration, I tried to download the GoDaddy UCC and import it into the Exchange 2013 ECP.  Each time I tried to import it, the process would finish but it would not show up in the list of available certificates.

Diving into MMC, I could see that the recently imported cert was there, but since Exchange couldn't see it - that was useless to me.  I worked around my issue by exporting the EX2010 certificate and importing that into Exchange 2013 (knowing that at some point in the near future I would have to do a new CSR and upload that to Godaddy etc.).  I saved myself the step at the time.

I've got two external web hosts that do white label service (XXXX.domain.com -> a web portal at an external host).  The first one, I just emailed the chain and Godaddy key and they set up the SSL cert.  All is working fine.
This second party is giving me issues.  I sent them the same data (.crt and the chain cert .p7b).  They came back asking me to put it in pfx format (which I did for them using a tool from GitHub).  During their import on IIS 8.5, it's claiming that the certificate does not include the private key.  Well, no kidding right?

So my question is:  How do I work with them on this?  I consider it truly a bad idea to export my private key from the Ex2013 server (assuming that I have done what I spoke about re: CSR and new cert download from GoDaddy) and send it to someone else.  Kinda defeats the point of the cert / trust yes?  Further, how was the other party able to complete it when this fellow is having issues?  Is there some advice I can lend them, or do I need to do something more?

If I'm indeed having a senior/blond moment, feel free to make fun of me endlessly.  It's 5pm local time, I've been going since 5am.

Question by:browningit
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 43

Expert Comment

by:Adam Brown
ID: 41857783
Sounds like the second company is doing things incorrectly. The .CRT file that godaddy sends you is a full certificate that includes the private key. The P7B files are there for systems that require intermediary cert advertisement (load balancers, for instance). Usually the only thing you need to do to install a .crt is double click it, click the install option, and install it to the computer's private store. From there it will be available as a certificate. Using the import method in IIS or ECP will corrupt the data presented by the .CRT file Godaddy sends out. The only time you use PFX files is if you're importing an exported certificate through IIS or Exchange ECP.

Godaddy doesn't send a response completion file like they're supposed to, so you can't "complete" a certificate request in IIS or ECP using the stuff they send you. You just have to install the .crt file into the correct store.

Accepted Solution

browningit earned 0 total points
ID: 41864413
I'll have to close this ticket leaving it a mystery.  I can't see the other admin's systems, sending them advice on the topic went nowhere.  I instead bought another cert on my own dime to resolve the issue.

For anyone that gets here based on my talk about the Exchange issue - I found a way to resolve that as I rekeyed a cert today:

1) Rekeying your cert or running into the same issue as above during a migration?
2) Hit the 'complete' button in ECP, and note that the status for the certificate does not change (stuck at pending verification even though you completed the process and imported the cert)
3) Go into MMC and load certificates.  Note the serial number of the cert that was most recently imported and has no friendly name.
4) Run exchange powershell and enter this command:  certutil -repairstore my "SerialNumber"     (no spaces required for the serial)
5)  Not necessary, but perform an IIS reset
6) Edit the cert in MMC and give it a friendly name if desired
7) Back in ECP, review the certs and note that the correct cert has been added with the new friendly name on another line.  The old cert request marked 'pending' is still there, but not irrelevant.

Author Closing Comment

ID: 41869865
Other party in the situation described was required to provide more details.  It was pure guessing on my side; and the advice was useful but couldn't be tested thoroughly.

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question