Exchange 2007 certificate issue
by simoriah on Sep.16, 2009, under Uncategorized
Exchange 2007 UCC SSL certificates. We love ‘em. They actually do make life a little easier when dealing with SSL on internal and external environments. But I just ran into a little quirk with the GoDaddy interface and with the Microsoft Certificate Store.
First, I got the certificate from GoDaddy. I gave them the CSR I created with the following command:
new-exchangecertificate -generaterequest -keysize 2048 -subjectname “c=United States, l=City,s=State, o=Company Name, cn=domainname.com” -domainname server,server.domainname.local,autodiscover.domainname.com,server.domainname.com,remote.domainname.com -PrivateKeyExportable $true -path C:\server.domainname.com-20090916-request.txt -force
I used the new GoDaddy interface to get a certificate generated.
Then I imported the cert with the following command:
import-exchangecertificate -path C:\PathToFile.cer
Enable-ExchangeCertificate -Thumbprint [thumbprint] -Services “SMTP, IIS“
When I tested the website, I still got firefox griping about the cert. WHAT?! I looked into the issue and saw the issue. GoDaddy’s interface for generating a cert asks for the SANs. I didn’t enter any figuring the CSR would take care of that for me. GoDaddy issued a cert to domainname.com and www.domainname.com … great..
I called GoDaddy and they walked me through adding the SANs to the cert. “It will dynamically update. You don’t need to update your server.” Well, that’s wrong, but ok.
I got the new certificate and imported using the same commands I’d run previously. That’s when I got this…
the certificate with thumbprint<thumbprint> was found but is not valid for use with exchange server reason: PrivateKeyMissing
Some research found that the issue was a quirk in the certificate management.
First, I deleted the original SSL cert. I didn’t need it anymore. Tried to use the new key… same error.
The Certificates MMC helped me a bit. I went in and found that the GoDaddy key was the issue. The golden key was missing in the little icon. Microsoft’s site had the answer for me: http://technet.microsoft.com/en-us/library/cc535024.aspx
I used the Certificates MMC to pull the serial of the certificate. Then I ran certutil -repairstore my “serialnumber” and that fixed the issue. I was able to then Enable-ExchangeCertificate -Thumbprint [thumbprint] -Services “SMTP, IIS“
Everything’s working properly, now. Issue resolved. Hopefully this will help someone else out there. If not, it’s here for my own reference.
September 15th, 2010 on 10:53 PM
Strangely enough, 12 months later, I used these same instructions! HAH!
October 19th, 2010 on 3:20 AM
Godaddy has great prices on .info domains but their private domain service is so damn expensive.”;
November 8th, 2010 on 7:14 AM
godaddy is not always the best registrar, the private registration of godaddy is too expensive ::
November 20th, 2010 on 7:49 AM
Just had the exact same issue with go daddy cert and Exchange 2007. This worked a treat, Thank you soooo much.
June 25th, 2011 on 3:54 PM
Brilliant !!! Worked for me a golden nugget of information ….
November 23rd, 2011 on 3:27 PM
This worked, thank you!