Link to home
Start Free TrialLog in
Avatar of Anthony Cardullo
Anthony CardulloFlag for United States of America

asked on

Re-use 2010 hybrid exchange server certificate on new 2016 hybrid server

I had this question after viewing Add a second Exchange hybrid server.

I'm in the midst of migrating a 2010 Hybrid server to a 2016 server.  Server and exchange 2016 install has been done.  getting to the part where i need to run the wizard on the 16 server.  can i reuse the cert on the 2010 server and export / import onto the new server?  Best way to do that?

Thank you,
Avatar of M A
Flag of United States of America image

-->can i reuse the cert on the 2010 server and export / import onto the new server?  
Yes you can export from 2010 and import in 2016.

Yes you can use the same certificate but remember that hybrid requires "" SAN entry and host A record pointing to exchange 2016 public IP.

Avatar of Anthony Cardullo


That's a relief and "Autodiscover" and A record will be re-pointed.  
Haven't done a cert export in a while.  Do you have a quick walk through to get me started?

Avatar of Saif Shaikh
Saif Shaikh
Flag of India image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

Step 4: Importing your backup .pfx file to Exchange 2016:

  1. Open the Microsoft Management Console (MMC).
  2. On the left pane, click Certificates.
  3. On the right pane, double-click Personal.
  4. On the right pane, right-click Certificates and select All Tasks > Import (this opens the Certificate Import Wizard). Click Next.
  5. Browse to the PKCS#12 (.pfx) file that you want to import and click Next.
  6. Enter the password used to secure the certificate for export and then click OK.
  7. To export the certificate again from this computer, select Mark the key as exportable.
  8. Select the option Automatically select the certificate store based on the type of certificate. (This ensures all the certificates in the certification path (Root, Intermediate, and Server) are stored in the proper place. Problems may occur if a certificate is placed in the wrong store.) Click Next.
  9. Click Finish. A message confirms successful import. Click OK. You should now see your certificate under the Personal Certificates store in MMC

ah shoot,  my cert export has the "export private key" option grayed out.  guess ill have to re-issue it.

Or is it a permission issue?

This problem occurs because the System and Administrator accounts do not have sufficient permissions or the Administrators group does not have ownership of the directory drive:\Documents and Settings\userName\Application Data\Microsoft\Crypto\RSA  folder or the private key file.

The Systems/Server Administrator can reset the permissions on the private key and gain full permission.

Note: In order to view these hidden files you must turn on the Display hidden files and folders option in Windows. To display hidden files and folders, perform the following steps:

1.  Click Start > Control Panel > Folder Options.
2.  On the View tab, under Hidden files and folders, click Show hidden files and folders.

To reset the permissions and gain full permission on these key use the following steps:

Open Microsoft Windows Explorer
Locate the drive:\Documents and Settings\user_profile\Application Data\Microsoft\Crypto folder
Note: The private key could be in any profile and not only the Administrator. The following steps may need to be done on all profiles.
Double-click RSA folder.
Double-click Machine Keys folder.
Note: There should be many files in here, all of them could be the private key in question. The following steps may need to be done on all files in this folder.
Right-click on every private key file in this folder and open with Notepad.
Locate the file that cannot be opened. The error message is Access is Denied.
Right-Click the file > Properties.
Select Full Control.

-->ah shoot,  my cert export has the "export private key" option grayed out.  guess ill have to re-issue it.
You may have to reissue the certificate with private key exportable is true.
Please use this CSR command generator.

If my above troubleshooting does not work, then yes re-issue.