Dan Appleby
asked on
Exchange 2010 Certificate renewal help!
I'm trying to renew the exchange certificate for our exchange 2010 server which has the IMPA, POP, IIS and SMTP services assigned to it, however the certificate just will not import properly!
Our cert provider is 123-reg and they re-issued the certificate after it auto re-newed a few weeks back. This is the process I have done thus far:
- Right clicked expiring certificate and selected renew
- Saved the .req file on the desktop.
- Attempted to enter the CSR on 123-reg re-issue section of the new certificate. It says "Error: Your CSR did not pass our validation check. Please ensure your CSR contains the same information as the original CSR.". Even though it the same certificate, only renewed.
So I attempted the following method:
- Downloaded the new cert from 123-reg
- Clicked "complete pending request"
- Uploaded the cert downloaded from 123-reg
The new cert entry is stuck saying "This is a pending certificate signing request..."
I have tried everything I can think of to get this working and I am stumped by this, any advice at all?
Thanks.
Our cert provider is 123-reg and they re-issued the certificate after it auto re-newed a few weeks back. This is the process I have done thus far:
- Right clicked expiring certificate and selected renew
- Saved the .req file on the desktop.
- Attempted to enter the CSR on 123-reg re-issue section of the new certificate. It says "Error: Your CSR did not pass our validation check. Please ensure your CSR contains the same information as the original CSR.". Even though it the same certificate, only renewed.
So I attempted the following method:
- Downloaded the new cert from 123-reg
- Clicked "complete pending request"
- Uploaded the cert downloaded from 123-reg
The new cert entry is stuck saying "This is a pending certificate signing request..."
I have tried everything I can think of to get this working and I am stumped by this, any advice at all?
Thanks.
ASKER
Hi Jeff
The certificate has already been created within 123-reg, so would this be done on the exchange server by clicking the "New exchange certificate" within Server Configuration?
Also as we have office 365 and mobile devices connected to the on-prem exchange (Hybrid environment),will this cause them to disconnect and potentially cause issues? This is why I am reluctant to go down that road, and exchange certificates are not my forte sadly.
Thanks.
Dan.
The certificate has already been created within 123-reg, so would this be done on the exchange server by clicking the "New exchange certificate" within Server Configuration?
Also as we have office 365 and mobile devices connected to the on-prem exchange (Hybrid environment),will this cause them to disconnect and potentially cause issues? This is why I am reluctant to go down that road, and exchange certificates are not my forte sadly.
Thanks.
Dan.
Here are all the steps for cert renew. Just cross check one more time.
https://www.digicert.com/ssl-certificate-renewal-exchange-2010.htm
https://www.digicert.com/ssl-certificate-renewal-exchange-2010.htm
I think you are missing the point here. Renewing a certificate is a misnomer under most circumstanced. A renewed Certificate is normally a new certificate with different keys but the same names. No different from getting a new certificate but using the same names. The renew certificate link in Exchange is next to useless in my experience (as with others). when you generate a CSR, you are generating a new Private key anyway.
For O365, no, it should cause no issues. As long as the Certificate is valid, it should be OK. It has been years since I have worked with 2010 but If I remember right, you never have to copy a cert during the hybrid setup process. The mobile devices should just accept the new cert as long as Android and Apple trust the root. You may get some delays while they accept the new cert so I suggest assigning the services off hours.
For O365, no, it should cause no issues. As long as the Certificate is valid, it should be OK. It has been years since I have worked with 2010 but If I remember right, you never have to copy a cert during the hybrid setup process. The mobile devices should just accept the new cert as long as Android and Apple trust the root. You may get some delays while they accept the new cert so I suggest assigning the services off hours.
ASKER
Hi Jeff
Thank you for the info. I will try creating a new certificate then,
I will feedback the results when I can.
Cheers,
Dan.
Thank you for the info. I will try creating a new certificate then,
I will feedback the results when I can.
Cheers,
Dan.
Make sure you get new cert with private key.
ASKER
Hi Amit
I have tried that solution already, that is the process I followed.
I have re-issued the cert and re-imported it through the renew option again, and have tried to complete it but it still hanging on "This is a pending certificate signing request"
I am at a loss here.
I have tried that solution already, that is the process I followed.
I have re-issued the cert and re-imported it through the renew option again, and have tried to complete it but it still hanging on "This is a pending certificate signing request"
I am at a loss here.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Looks like you have some permission issue. I want you to check MachineKey folder permission. Make sure Administrator is having full control and remove system from root Machinekey folder. Path is C:\ProgramData\Microsoft\C rypto\RSA\ Machinekey
Next under Machinekey folder you need to check, if system has full rights on files stored in Machinekey folder. If you are not clear, just share the screenshots.
Next under Machinekey folder you need to check, if system has full rights on files stored in Machinekey folder. If you are not clear, just share the screenshots.
ASKER
Hi All
Thanks for all your responses. In the end I managed to get the certificate in and the services assigned and replaced as default. Now just waiting for the old cert to expire today before I remove the old one.
It turns out 123-reg revoked all the certificated and re-issued new ones so there were conflicts between them and us. Creating a new cert and req seemed to do the trick.
Dan.
Thanks for all your responses. In the end I managed to get the certificate in and the services assigned and replaced as default. Now just waiting for the old cert to expire today before I remove the old one.
It turns out 123-reg revoked all the certificated and re-issued new ones so there were conflicts between them and us. Creating a new cert and req seemed to do the trick.
Dan.
Thanks for the update. I advise you to don't wait for old cert to expire. That will cause the outage. Best practice you should switch to new cert atleast 15-30 days in advance. So, in case you have any issue with new cert, you have time to switch back to old one and work on troubleshooting issue with new cert.
ASKER
Hi Amit
I agree. I've put a calendar reminder in a month prior to next years expiry so will be well aware in good time next time round. Crisis averted.
Thanks for all the help everyone!
Dan.
I agree. I've put a calendar reminder in a month prior to next years expiry so will be well aware in good time next time round. Crisis averted.
Thanks for all the help everyone!
Dan.
Once you install the new cert, then just link it to the services