Exchange 2010 Certificate renewal help!

I'm trying to renew the exchange certificate for our exchange 2010 server which has the IMPA, POP, IIS and SMTP services assigned to it, however the certificate just will not import properly!
Our cert provider is 123-reg and they re-issued the certificate after it auto re-newed a few weeks back. This is the process I have done thus far:
- Right clicked expiring certificate and selected renew
- Saved the .req file on the desktop.
- Attempted to enter the CSR on 123-reg re-issue section of the new certificate. It says "Error: Your CSR did not pass our validation check. Please ensure your CSR contains the same information as the original CSR.". Even though it the same certificate, only renewed.

So I attempted the following method:
- Downloaded the new cert from 123-reg
- Clicked "complete pending request"
- Uploaded the cert downloaded from 123-reg

The new cert entry is stuck saying "This is a pending certificate signing request..."

I have tried everything I can think of to get this working and I am stumped by this, any advice at all?
Thanks.
Dan ApplebyIT Support EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeff GloverSr. Systems AdministratorCommented:
The key here is the error from your Cert Provider. Have never used that one so not sure what is wrong with your CSR but... I don't bother with renewing the certificate. I normally just request a new one. That way, you can control what is in the request. I would create a new request, fill in the required names and try submitting it.
 Once you install the new cert, then just link it to the services
0
Dan ApplebyIT Support EngineerAuthor Commented:
Hi Jeff
The certificate has already been created within 123-reg, so would this be done on the exchange server by clicking the "New exchange certificate" within Server Configuration?

Also as we have office 365 and mobile devices connected to the on-prem exchange (Hybrid environment),will this cause them to disconnect and potentially cause issues? This is why I am reluctant to go down that road, and exchange certificates are not my forte sadly.

Thanks.
Dan.
0
AmitIT ArchitectCommented:
Here are all the steps for cert renew. Just cross check one more time.
https://www.digicert.com/ssl-certificate-renewal-exchange-2010.htm
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Jeff GloverSr. Systems AdministratorCommented:
I think you are missing the point here. Renewing a certificate is a misnomer under most circumstanced. A renewed Certificate is normally a new certificate with different keys but the same names. No different from getting a new certificate but using the same names. The renew certificate link in Exchange is next to useless in my experience (as with others). when you generate a CSR, you are generating a new Private key anyway.
  For O365, no, it should cause no issues. As long as the Certificate is valid, it should be OK. It has been years since I have worked with 2010 but If I remember right, you never have to copy a cert during the hybrid setup process. The mobile devices should just accept the new cert as long as Android and Apple trust the root. You may get some delays while they accept the new cert so I suggest assigning the services off hours.
1
Dan ApplebyIT Support EngineerAuthor Commented:
Hi Jeff
Thank you for the info. I will try creating a new certificate then,
I will feedback the results when I can.
Cheers,
Dan.
0
AmitIT ArchitectCommented:
Make sure you get new cert with private key.
1
Dan ApplebyIT Support EngineerAuthor Commented:
Hi Amit
I have tried that solution already, that is the process I followed.
I have re-issued the cert and re-imported it through the renew option again, and have tried to complete it but it still hanging on "This is a pending certificate signing request"
I am at a loss here.
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
Ok just remove that cert.
And start over the process.

So Generate the New Certificate request from the exchange. (you'll get a req, file)
Then Re-Issue the certificate on the site where you brought the cert.
Download it again (for IIS)
Complete the process and select the new downloaded certificate.
At the end go to the Powershell Console:
Get-ExchangeCertificate

Open in new window


Note the thumbprint of the Certificate and run this:
Get-ExchangeCertificate -thumbprint XXXXX | Enable-ExchangeCertificate -services IIS,SMTP
iisreset

Open in new window


Where XXXXX is the thumbprint you got on the previous step
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AmitIT ArchitectCommented:
Looks like you have some permission issue.  I want you to check MachineKey folder permission. Make sure Administrator is having full control and remove system from root Machinekey folder. Path is C:\ProgramData\Microsoft\Crypto\RSA\Machinekey

Next under Machinekey folder you need to check, if system has full rights on files stored in Machinekey folder. If you are not clear, just share the screenshots.
0
Dan ApplebyIT Support EngineerAuthor Commented:
Hi All
Thanks for all your responses. In the end I managed to get the certificate in and the services assigned and replaced as default. Now just waiting for the old cert to expire today before I remove the old one.
It turns out 123-reg revoked all the certificated and re-issued new ones so there were conflicts between them and us. Creating a new cert and req seemed to do  the trick.
Dan.
0
AmitIT ArchitectCommented:
Thanks for the update. I advise you to don't wait for old cert to expire. That will cause the outage. Best practice  you should switch to new cert atleast 15-30 days in advance. So, in case you have any issue with new cert, you have time to switch back to old one and work on troubleshooting issue with new cert.
0
Dan ApplebyIT Support EngineerAuthor Commented:
Hi Amit
I agree. I've put a calendar reminder in a month prior to next years expiry so will be well aware in good time next time round. Crisis averted.
Thanks for all the help everyone!
Dan.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.