We help IT Professionals succeed at work.

Re-use 2010 hybrid exchange server certificate on new 2016 hybrid server

Anthony Cardullo
Anthony Cardullo asked
on
I had this question after viewing Add a second Exchange hybrid server.

I'm in the midst of migrating a 2010 Hybrid server to a 2016 server.  Server and exchange 2016 install has been done.  getting to the part where i need to run the wizard on the 16 server.  can i reuse the cert on the 2010 server and export / import onto the new server?  Best way to do that?

Thank you,
Comment
Watch Question

View Solution Only

MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017

Commented:
-->can i reuse the cert on the 2010 server and export / import onto the new server?  
Yes you can export from 2010 and import in 2016.
Saif ShaikhServer engineer
CERTIFIED EXPERT

Commented:

Yes you can use the same certificate but remember that hybrid requires "//autodiscover.domain.com" SAN entry and host A record pointing to exchange 2016 public IP.



Anthony CardulloSystem Administrator

Author

Commented:
That's a relief and "Autodiscover" and A record will be re-pointed.  
Haven't done a cert export in a while.  Do you have a quick walk through to get me started?

Thanks
Server engineer
CERTIFIED EXPERT
Commented:

You may follow below information:


Step 1:  Create an MMC Snap-in for Managing Certificates on the Exchange 2010 system:

  1. Start > run > MMC.
    mmc
  2. Go into the Console Tab > File > Add/Remove Snap-in.
    mmc
  3. Click on Add > Click on Certificates and click on Add.

    mmc

  4. Choose Computer Account > Next.
    mmc export



  5. Choose Local Computer > Finish.
    mmc export
  6. Close the Add Standalone Snap-in window.
  7. Click on OK at the Add/Remove Snap-in window.

Step 2: Export/Backup certificate to .pfx file:

  1. In MMC Double click on Certificates (Local Computer) in the center window.
  2. Double click on the Personal folder, and then on Certificates.
  3. Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
  4. Follow the Certificate Export Wizard to backup your certificate to a .pfx file.mmc export
  5. Choose to ‘Yes, export the private key

    mmc export

  6. Choose to “Include all certificates in certificate path if possible.” (do NOT select the delete Private Key option)mmc export
  7. Enter a password you will remember.
  8. Choose to save file on a set location.


  9. Click Finish.
    mmc export
  10. You will receive a message > “The export was successful.” > Click OK.
    The .pfx file backup is now saved in the location you selected and is ready to be moved or stored for your safe keeping.

Step 3: Creating a MMC certificate snapin on the Exchange 2013 system:

  1. Start > run > MMC.
    mmc
  2. Go into the Console Tab > File > Add/Remove Snap-in.
    mmc
  3. Click on Add > Click on Certificates and click on Add.
    mmc
  4. Choose Computer Account > Next.
    mmc export
  5. Choose Local Computer > Finish.
    mmc export
  6. Close the Add Standalone Snap-in window.
  7. Click on OK at the Add/Remove Snap-in window.


Saif ShaikhServer engineer
CERTIFIED EXPERT

Commented:

Step 4: Importing your backup .pfx file to Exchange 2016:

  1. Open the Microsoft Management Console (MMC).
  2. On the left pane, click Certificates.
  3. On the right pane, double-click Personal.
  4. On the right pane, right-click Certificates and select All Tasks > Import (this opens the Certificate Import Wizard). Click Next.
  5. Browse to the PKCS#12 (.pfx) file that you want to import and click Next.
  6. Enter the password used to secure the certificate for export and then click OK.
  7. To export the certificate again from this computer, select Mark the key as exportable.
  8. Select the option Automatically select the certificate store based on the type of certificate. (This ensures all the certificates in the certification path (Root, Intermediate, and Server) are stored in the proper place. Problems may occur if a certificate is placed in the wrong store.) Click Next.
  9. Click Finish. A message confirms successful import. Click OK. You should now see your certificate under the Personal Certificates store in MMC


Anthony CardulloSystem Administrator

Author

Commented:
ah shoot,  my cert export has the "export private key" option grayed out.  guess ill have to re-issue it.

Or is it a permission issue?
Saif ShaikhServer engineer
CERTIFIED EXPERT

Commented:

This problem occurs because the System and Administrator accounts do not have sufficient permissions or the Administrators group does not have ownership of the directory drive:\Documents and Settings\userName\Application Data\Microsoft\Crypto\RSA  folder or the private key file.

Solution
The Systems/Server Administrator can reset the permissions on the private key and gain full permission.

Note: In order to view these hidden files you must turn on the Display hidden files and folders option in Windows. To display hidden files and folders, perform the following steps:

1.  Click Start > Control Panel > Folder Options.
2.  On the View tab, under Hidden files and folders, click Show hidden files and folders.

To reset the permissions and gain full permission on these key use the following steps:

Open Microsoft Windows Explorer
Locate the drive:\Documents and Settings\user_profile\Application Data\Microsoft\Crypto folder
Note: The private key could be in any profile and not only the Administrator. The following steps may need to be done on all profiles.
Double-click RSA folder.
Double-click Machine Keys folder.
Note: There should be many files in here, all of them could be the private key in question. The following steps may need to be done on all files in this folder.
Right-click on every private key file in this folder and open with Notepad.
Locate the file that cannot be opened. The error message is Access is Denied.
Right-Click the file > Properties.
Select Full Control.

MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017

Commented:
-->ah shoot,  my cert export has the "export private key" option grayed out.  guess ill have to re-issue it.
You may have to reissue the certificate with private key exportable is true.
Please use this CSR command generator.
https://www.experts-exchange.com/articles/28662/Easy-CSR-creation-Exchange-2007-2010-and-2013.html
Saif ShaikhServer engineer
CERTIFIED EXPERT

Commented:

If my above troubleshooting does not work, then yes re-issue.