asked on Re-use 2010 hybrid exchange server certificate on new 2016 hybrid server
I'm in the midst of migrating a 2010 Hybrid server to a 2016 server. Server and exchange 2016 install has been done. getting to the part where i need to run the wizard on the 16 server. can i reuse the cert on the 2010 server and export / import onto the new server? Best way to do that?
Thank you,
Yes you can use the same certificate but remember that hybrid requires "autodiscover.domain.com" SAN entry and host A record pointing to exchange 2016 public IP.
Haven't done a cert export in a while. Do you have a quick walk through to get me started?
Thanks
Step 4: Importing your backup .pfx file to Exchange 2016:
- Open the Microsoft Management Console (MMC).
- On the left pane, click Certificates.
- On the right pane, double-click Personal.
- On the right pane, right-click Certificates and select All Tasks > Import (this opens the Certificate Import Wizard). Click Next.
- Browse to the PKCS#12 (.pfx) file that you want to import and click Next.
- Enter the password used to secure the certificate for export and then click OK.
- To export the certificate again from this computer, select Mark the key as exportable.
- Select the option Automatically select the certificate store based on the type of certificate. (This ensures all the certificates in the certification path (Root, Intermediate, and Server) are stored in the proper place. Problems may occur if a certificate is placed in the wrong store.) Click Next.
- Click Finish. A message confirms successful import. Click OK. You should now see your certificate under the Personal Certificates store in MMC
Or is it a permission issue?
This problem occurs because the System and Administrator accounts do not have sufficient permissions or the Administrators group does not have ownership of the directory drive:\Documents and Settings\userName\Application Data\Microsoft\Crypto\RSA folder or the private key file.
Solution
The Systems/Server Administrator can reset the permissions on the private key and gain full permission.
Note: In order to view these hidden files you must turn on the Display hidden files and folders option in Windows. To display hidden files and folders, perform the following steps:
1. Click Start > Control Panel > Folder Options.
2. On the View tab, under Hidden files and folders, click Show hidden files and folders.
To reset the permissions and gain full permission on these key use the following steps:
Open Microsoft Windows Explorer
Locate the drive:\Documents and Settings\user_profile\Application Data\Microsoft\Crypto folder
Note: The private key could be in any profile and not only the Administrator. The following steps may need to be done on all profiles.
Double-click RSA folder.
Double-click Machine Keys folder.
Note: There should be many files in here, all of them could be the private key in question. The following steps may need to be done on all files in this folder.
Right-click on every private key file in this folder and open with Notepad.
Locate the file that cannot be opened. The error message is Access is Denied.
Right-Click the file > Properties.
Select Full Control.
You may have to reissue the certificate with private key exportable is true.
Please use this CSR command generator.
https://www.experts-exchange.com/articles/28662/Easy-CSR-creation-Exchange-2007-2010-and-2013.html
If my above troubleshooting does not work, then yes re-issue.
Yes you can export from 2010 and import in 2016.