Exchange 2010 Certificate renewal help!

Dan Appleby
Dan Appleby used Ask the Experts™
on
I'm trying to renew the exchange certificate for our exchange 2010 server which has the IMPA, POP, IIS and SMTP services assigned to it, however the certificate just will not import properly!
Our cert provider is 123-reg and they re-issued the certificate after it auto re-newed a few weeks back. This is the process I have done thus far:
- Right clicked expiring certificate and selected renew
- Saved the .req file on the desktop.
- Attempted to enter the CSR on 123-reg re-issue section of the new certificate. It says "Error: Your CSR did not pass our validation check. Please ensure your CSR contains the same information as the original CSR.". Even though it the same certificate, only renewed.

So I attempted the following method:
- Downloaded the new cert from 123-reg
- Clicked "complete pending request"
- Uploaded the cert downloaded from 123-reg

The new cert entry is stuck saying "This is a pending certificate signing request..."

I have tried everything I can think of to get this working and I am stumped by this, any advice at all?
Thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jeff GloverSr. Systems Administrator

Commented:
The key here is the error from your Cert Provider. Have never used that one so not sure what is wrong with your CSR but... I don't bother with renewing the certificate. I normally just request a new one. That way, you can control what is in the request. I would create a new request, fill in the required names and try submitting it.
 Once you install the new cert, then just link it to the services
Dan ApplebyIT Support Engineer

Author

Commented:
Hi Jeff
The certificate has already been created within 123-reg, so would this be done on the exchange server by clicking the "New exchange certificate" within Server Configuration?

Also as we have office 365 and mobile devices connected to the on-prem exchange (Hybrid environment),will this cause them to disconnect and potentially cause issues? This is why I am reluctant to go down that road, and exchange certificates are not my forte sadly.

Thanks.
Dan.
AmitIT Architect
Distinguished Expert 2017

Commented:
Here are all the steps for cert renew. Just cross check one more time.
https://www.digicert.com/ssl-certificate-renewal-exchange-2010.htm
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Jeff GloverSr. Systems Administrator

Commented:
I think you are missing the point here. Renewing a certificate is a misnomer under most circumstanced. A renewed Certificate is normally a new certificate with different keys but the same names. No different from getting a new certificate but using the same names. The renew certificate link in Exchange is next to useless in my experience (as with others). when you generate a CSR, you are generating a new Private key anyway.
  For O365, no, it should cause no issues. As long as the Certificate is valid, it should be OK. It has been years since I have worked with 2010 but If I remember right, you never have to copy a cert during the hybrid setup process. The mobile devices should just accept the new cert as long as Android and Apple trust the root. You may get some delays while they accept the new cert so I suggest assigning the services off hours.
Dan ApplebyIT Support Engineer

Author

Commented:
Hi Jeff
Thank you for the info. I will try creating a new certificate then,
I will feedback the results when I can.
Cheers,
Dan.
AmitIT Architect
Distinguished Expert 2017

Commented:
Make sure you get new cert with private key.
Dan ApplebyIT Support Engineer

Author

Commented:
Hi Amit
I have tried that solution already, that is the process I followed.
I have re-issued the cert and re-imported it through the renew option again, and have tried to complete it but it still hanging on "This is a pending certificate signing request"
I am at a loss here.
Top Rated Freelancer on MS Technologies
Awarded 2018
Distinguished Expert 2018
Commented:
Ok just remove that cert.
And start over the process.

So Generate the New Certificate request from the exchange. (you'll get a req, file)
Then Re-Issue the certificate on the site where you brought the cert.
Download it again (for IIS)
Complete the process and select the new downloaded certificate.
At the end go to the Powershell Console:
Get-ExchangeCertificate

Open in new window


Note the thumbprint of the Certificate and run this:
Get-ExchangeCertificate -thumbprint XXXXX | Enable-ExchangeCertificate -services IIS,SMTP
iisreset

Open in new window


Where XXXXX is the thumbprint you got on the previous step
AmitIT Architect
Distinguished Expert 2017

Commented:
Looks like you have some permission issue.  I want you to check MachineKey folder permission. Make sure Administrator is having full control and remove system from root Machinekey folder. Path is C:\ProgramData\Microsoft\Crypto\RSA\Machinekey

Next under Machinekey folder you need to check, if system has full rights on files stored in Machinekey folder. If you are not clear, just share the screenshots.
Dan ApplebyIT Support Engineer

Author

Commented:
Hi All
Thanks for all your responses. In the end I managed to get the certificate in and the services assigned and replaced as default. Now just waiting for the old cert to expire today before I remove the old one.
It turns out 123-reg revoked all the certificated and re-issued new ones so there were conflicts between them and us. Creating a new cert and req seemed to do  the trick.
Dan.
AmitIT Architect
Distinguished Expert 2017

Commented:
Thanks for the update. I advise you to don't wait for old cert to expire. That will cause the outage. Best practice  you should switch to new cert atleast 15-30 days in advance. So, in case you have any issue with new cert, you have time to switch back to old one and work on troubleshooting issue with new cert.
Dan ApplebyIT Support Engineer

Author

Commented:
Hi Amit
I agree. I've put a calendar reminder in a month prior to next years expiry so will be well aware in good time next time round. Crisis averted.
Thanks for all the help everyone!
Dan.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial