Avatar of Anthony Cardullo
Anthony Cardullo
Flag for United States of America asked on

Re-use 2010 hybrid exchange server certificate on new 2016 hybrid server

I had this question after viewing Add a second Exchange hybrid server.

I'm in the midst of migrating a 2010 Hybrid server to a 2016 server.  Server and exchange 2016 install has been done.  getting to the part where i need to run the wizard on the 16 server.  can i reuse the cert on the 2010 server and export / import onto the new server?  Best way to do that?

Thank you,
ExchangeInstallation* Exchange Hybrid* certficate

Avatar of undefined
Last Comment
Saif Shaikh

8/22/2022 - Mon
M A

-->can i reuse the cert on the 2010 server and export / import onto the new server?  
Yes you can export from 2010 and import in 2016.
Saif Shaikh

Yes you can use the same certificate but remember that hybrid requires "autodiscover.domain.com" SAN entry and host A record pointing to exchange 2016 public IP.



Anthony Cardullo

ASKER
That's a relief and "Autodiscover" and A record will be re-pointed.  
Haven't done a cert export in a while.  Do you have a quick walk through to get me started?

Thanks
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER CERTIFIED SOLUTION
Saif Shaikh

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Saif Shaikh

Step 4: Importing your backup .pfx file to Exchange 2016:

  1. Open the Microsoft Management Console (MMC).
  2. On the left pane, click Certificates.
  3. On the right pane, double-click Personal.
  4. On the right pane, right-click Certificates and select All Tasks > Import (this opens the Certificate Import Wizard). Click Next.
  5. Browse to the PKCS#12 (.pfx) file that you want to import and click Next.
  6. Enter the password used to secure the certificate for export and then click OK.
  7. To export the certificate again from this computer, select Mark the key as exportable.
  8. Select the option Automatically select the certificate store based on the type of certificate. (This ensures all the certificates in the certification path (Root, Intermediate, and Server) are stored in the proper place. Problems may occur if a certificate is placed in the wrong store.) Click Next.
  9. Click Finish. A message confirms successful import. Click OK. You should now see your certificate under the Personal Certificates store in MMC


Anthony Cardullo

ASKER
ah shoot,  my cert export has the "export private key" option grayed out.  guess ill have to re-issue it.

Or is it a permission issue?
Saif Shaikh

This problem occurs because the System and Administrator accounts do not have sufficient permissions or the Administrators group does not have ownership of the directory drive:\Documents and Settings\userName\Application Data\Microsoft\Crypto\RSA  folder or the private key file.

Solution
The Systems/Server Administrator can reset the permissions on the private key and gain full permission.

Note: In order to view these hidden files you must turn on the Display hidden files and folders option in Windows. To display hidden files and folders, perform the following steps:

1.  Click Start > Control Panel > Folder Options.
2.  On the View tab, under Hidden files and folders, click Show hidden files and folders.

To reset the permissions and gain full permission on these key use the following steps:

Open Microsoft Windows Explorer
Locate the drive:\Documents and Settings\user_profile\Application Data\Microsoft\Crypto folder
Note: The private key could be in any profile and not only the Administrator. The following steps may need to be done on all profiles.
Double-click RSA folder.
Double-click Machine Keys folder.
Note: There should be many files in here, all of them could be the private key in question. The following steps may need to be done on all files in this folder.
Right-click on every private key file in this folder and open with Notepad.
Locate the file that cannot be opened. The error message is Access is Denied.
Right-Click the file > Properties.
Select Full Control.

⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
M A

-->ah shoot,  my cert export has the "export private key" option grayed out.  guess ill have to re-issue it.
You may have to reissue the certificate with private key exportable is true.
Please use this CSR command generator.
https://www.experts-exchange.com/articles/28662/Easy-CSR-creation-Exchange-2007-2010-and-2013.html
Saif Shaikh

If my above troubleshooting does not work, then yes re-issue.