Tom Monroe
asked on
Cannot see pending request for Intermediate Certification after import
Hello,
I'm attempting to load an intermediate certificate on Exchange 2013. I followed the steps outlined and it goes well until i reach, check for pending request status in Exchange Admin Console. On the EAC there is no pending requests for this cert. I verified the certs loaded correctly into the Intermediate Certification Authorities.
Are there any other ways to get pending request to show up or maybe I can import this cert an entirely different way?
Open MMC Console and Certificate Directory
--------------------------
Click Start, and then click Run.
Type mmc, and then click OK. The Microsoft Management Console (Console1) window opens.
In the Console1 window, click File, and then select Add/Remove Snap-in.
In the Add or Remove Snap-ins window, select Certificates, and then click Add.
In the Computer Account window, select Computer Account, and then click Next.
In the Select Computer window, select Local Computer, and then click Finish.
In the Add or Remove Snap-ins window, click OK.
In the Console1 window, click + to expand the Certificates (Local Computer) folder on the left.
Right-click Intermediate Certification Authorities, mouse over All Tasks, and then click Import.
Certificate Wizard
------------------
In the Certificate Import Wizard window, click Next.
Click Browse to find the intermediate certificate file.
In the Open window, change the file extension filter to PKCS #7 Certificates (*.spc;*.p7b), select the *_iis_intermediates.p7b file, and then click Open.
In the Certificate Import Wizard window, click Next.
Select Place all certificates in the following store, and then click Browse.
In the Select Certificate Store window, select Intermediate Certification Authorities, and then click OK.
In the Certificate Import Wizard window, click Next.
Click Finish.
Click OK.
Close the Console1 window, and then click No to remove the console settings.
Finalize Install on Exchange 2013
--------------------------
To Install an SSL Certificate in Microsoft Exchange Server 2013
Log in to the Exchange Admin Center.
From the left menu, select Servers, and then click Certificates.
Select your certificate (it has a “Pending request” status), and then click Complete.
For File to import from, enter the certificate file path we provided (such as \\server\folder\coolexampl
In the Certificates section, select your certificate again (the status changed to “Valid”), and then click Edit (pencil icon).
Click Services, select the services to which the certificate applies (SMTP, UM, UM call router, IMAP, POP, and/or IIS), and then click OK. Your certificate is now ready to use with Exchange 2013.
I'm attempting to load an intermediate certificate on Exchange 2013. I followed the steps outlined and it goes well until i reach, check for pending request status in Exchange Admin Console. On the EAC there is no pending requests for this cert. I verified the certs loaded correctly into the Intermediate Certification Authorities.
Are there any other ways to get pending request to show up or maybe I can import this cert an entirely different way?
Open MMC Console and Certificate Directory
--------------------------
Click Start, and then click Run.
Type mmc, and then click OK. The Microsoft Management Console (Console1) window opens.
In the Console1 window, click File, and then select Add/Remove Snap-in.
In the Add or Remove Snap-ins window, select Certificates, and then click Add.
In the Computer Account window, select Computer Account, and then click Next.
In the Select Computer window, select Local Computer, and then click Finish.
In the Add or Remove Snap-ins window, click OK.
In the Console1 window, click + to expand the Certificates (Local Computer) folder on the left.
Right-click Intermediate Certification Authorities, mouse over All Tasks, and then click Import.
Certificate Wizard
------------------
In the Certificate Import Wizard window, click Next.
Click Browse to find the intermediate certificate file.
In the Open window, change the file extension filter to PKCS #7 Certificates (*.spc;*.p7b), select the *_iis_intermediates.p7b file, and then click Open.
In the Certificate Import Wizard window, click Next.
Select Place all certificates in the following store, and then click Browse.
In the Select Certificate Store window, select Intermediate Certification Authorities, and then click OK.
In the Certificate Import Wizard window, click Next.
Click Finish.
Click OK.
Close the Console1 window, and then click No to remove the console settings.
Finalize Install on Exchange 2013
--------------------------
To Install an SSL Certificate in Microsoft Exchange Server 2013
Log in to the Exchange Admin Center.
From the left menu, select Servers, and then click Certificates.
Select your certificate (it has a “Pending request” status), and then click Complete.
For File to import from, enter the certificate file path we provided (such as \\server\folder\coolexampl
In the Certificates section, select your certificate again (the status changed to “Valid”), and then click Edit (pencil icon).
Click Services, select the services to which the certificate applies (SMTP, UM, UM call router, IMAP, POP, and/or IIS), and then click OK. Your certificate is now ready to use with Exchange 2013.
David Johnson, CD
If you upload the certificate there is NO pending request. the only time you get a pending request is when you ask for a certificate and the CA doesn't automatically approve and send the certificate to the requesting computer.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you fellows, appreciate the help.
So, yes you are right they gave me two files, crt and p7b.
I've only been loading the p7b into the intermediates folder and only on my CAS servers, not the mailbox servers. The exchange system we have is below, all separate hardware.
CAS1
CAS2
MAILBOX1
MAILBOX2
MAILBOX3
MAILBOX4
With that said do I need to load the p7b into the intermediates folder on the mailbox servers as well or only CAS role servers?
And to understand correctly i will be the one creating the pending request in EAC by saying New Cert Request and then once i select my CRT file that Go Daddy sent me it finalizes the request so long as the intermediates are in place?
i appreciate your patience with me as Exchange is an uphill battle in my head
Thank you again for you help and clarifications!
So, yes you are right they gave me two files, crt and p7b.
I've only been loading the p7b into the intermediates folder and only on my CAS servers, not the mailbox servers. The exchange system we have is below, all separate hardware.
CAS1
CAS2
MAILBOX1
MAILBOX2
MAILBOX3
MAILBOX4
With that said do I need to load the p7b into the intermediates folder on the mailbox servers as well or only CAS role servers?
And to understand correctly i will be the one creating the pending request in EAC by saying New Cert Request and then once i select my CRT file that Go Daddy sent me it finalizes the request so long as the intermediates are in place?
i appreciate your patience with me as Exchange is an uphill battle in my head
Thank you again for you help and clarifications!
Just the CAS servers. Also, it should finalize the request regardless of whether or not you have the intermediates in place. The intermediates are needed so the full chain is available. Not all clients care but some will consider the Cert to be suspect without them. Since I use mainly MultiRole servers and Godaddy Certs, I have the cert and intermediates on all multirole servers. I have one Mailbox only role server for Passive backups and never bothered to put the certs there. Never needed it.
As a note, if you are using the EAC, you complete the certificate request. then Export the Certificate with the Key and import it to the other CAS server. You can easily do this via the EAC. However, adding the p7b chain requires you to use the certificates mmc for each server
As a note, if you are using the EAC, you complete the certificate request. then Export the Certificate with the Key and import it to the other CAS server. You can easily do this via the EAC. However, adding the p7b chain requires you to use the certificates mmc for each server
ASKER
I just do not see any pending request in my certs list in EAC. I must have done this wrong. Can you tell me what piece i am missing?
I have two certs from GoDaddy, p7b and the crt.
I used MMC on the CAS servers and I've loaded the p7b into the Intermediates Folder using MMC > Certificates
The next part of my directions tell me to go to EAC and i should see a pending request in EAC, i do not see that. Please see picture. What am i missing.
Capture4433.PNG
I have two certs from GoDaddy, p7b and the crt.
I used MMC on the CAS servers and I've loaded the p7b into the Intermediates Folder using MMC > Certificates
The next part of my directions tell me to go to EAC and i should see a pending request in EAC, i do not see that. Please see picture. What am i missing.
Capture4433.PNG
Make sure the server you selected in the EAC is the same one you created the pending request on. From the EAC, you can select each server.
ASKER
Maybe thats the part im missing, how does one create that pending request in the first place?
IN the Exchange Admin Center, Select Servers. Then on the top bar, select Certificates. Select the server you want to create the request on and click the + sign. Follow the wizard. Didn't you create the request in the first place? You can create one using Powershell or in the Certiificates MMC but I wouldn't. (I would in Powershell, but the MMC? not for Exchange)
ASKER
oh thats right! I attempted to create it in the EAC and it failed then I ended up using powershell. At that point i never checked EAC to see if it existed and was in a pending state. I tabled it for downtime, I bet i would of seen at that point it still wasn't showing up. So something is wrong with it showing this request i created using powershell. Brutal, i have no idea how to make that appear AFTER you've created a request.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You are the best ever, that was the ticket! Start in powershell, end in powershell. Have a great day!!