Exchange Server Forums

Trouble with Enable for NEW cert

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Microsoft Exchange 2007] >> Secure Messaging >> Trouble with Enable for NEW cert

Page: [1]

Message

<< Older Topic Newer Topic >>

Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM

TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!

Trouble with Enable for NEW cert - 13.Feb.2008 7:10:47 PM

g@ctcconsulting.com

Posts: 4
Joined: 13.Feb.2008
Status: offline

We have an Exchange 2007 server running in a Windows 2003R2 domain.  We purchased a SAN cert from a CA.  Due to my lack of understanding my first SAN cert contained my EXTERNAL domain name only.  I was able to Import and Enable this cert onto my Exchange server using EMS cmdlets. My internal Outlook 2007 clients worked fine except complained that the name on the cert did not match the name on the site. My Internal domain is not the same as external. I realized I need both domains in my SAN so from my Exch server I recreated a new CSR to include BOTH external AND internal domains in the SAN list. I recieved my updated cert from the CA. I successfully ran "Import-ExchangeCertificate -path c:\newcert.cer" I got a thumbprint and can see the cert in Certificate Manager. I can also see the cert listed by running "dir cert:\LocalMachine\My | fl" however there is no FriendlyName listed (does this matter?)
Now here is my problem, when I try to run "Enable-ExchangeCertificate -thumbprint xxxblahblahblahxxx -services IIS,IMAP,POP" I get the following nasty:
WARNING: An unexpected error has occurred and a Watson dump is being generated:  The certificate with thumbprint xxxblahblahblahxxx was
found but is not valid for usage with Exchange Server (reason: PrivateKeyMissing).

The only information I have found around "PrivateKeyMissing" is if you attempt to Import a cert onto a different server than was used to create the CSR. This is not the case in that I am sure I used the Exchange server to create ALL the CSR's.

PS: I did check my copy of "How to cheat at configuring exchange server 2007" but, saddly, am still stuck.

Post #: 1

Featured Links*

RE: Trouble with Enable for NEW cert - 14.Feb.2008 12:08:03 AM

ismail.mohammed

Posts: 2334
Joined: 9.May2007
From: India
Status: offline

hi,

I have never tried through powershell but i feel that if you go through IE : \\servername\certsrv it might help you.

Regarding the above trick you can see msexchange.org article or

http://exchangeserverinfo.com/2008/01/24/publishing-exchange-2007-server-with-isa-server-2006--part-1accessing-owa-externally-through-isa-2006-firewall.aspx

In the abvoe link check for the reference for importing the certificate on ISA firewall because i have not kept private key however stored the information in the local computer. If you can't fine the answer on the above link, inside that there is part-2 also please check that one.

(in reply to g@ctcconsulting.com)

Post #: 2

RE: Trouble with Enable for NEW cert - 14.Feb.2008 5:39:15 PM

g@ctcconsulting.com

Posts: 4
Joined: 13.Feb.2008
Status: offline

Thank you Ismail,
Your blog did help me a little. Through reading your article I found how to go to IIS and replace the current cert with the new cert for the Default Web Site. I did this and now my cert shows a FriendlyName (it did not prior). However, I still cannot execute the enable-ExchangeCert... command (still complains of PrivateKeyMissing)
I'm not sure if the following has any meaning but it is what I have noticed: If I run "dir cert:\LocalMachine\My | fl" I see only TWO cert's - One from the server and one from the CA. If I run "Get-ExchangeCertificates | fl" I see TWELVE certificates; all of them are Self-Signed and only ONE is VALID, none of them show 'Services.' Do these invalid cert's need to be removed? Is it possible they are causing the trouble?
And, just to make sure I am fully confused, if I run "Get-PopSettings" or "Get-ImapSettings" I do see the FriendlyName of my cert listed in the X509CertificateName field however the OriginatingServer shows my internal AD server and not my CA (again,I have no idea if this is correct or not...)

(in reply to ismail.mohammed)

Post #: 3

RE: Trouble with Enable for NEW cert - 15.Feb.2008 5:04:45 PM

g@ctcconsulting.com

Posts: 4
Joined: 13.Feb.2008
Status: offline

Some progress has been made. I used the cert snapin to import the cert to the personal store (it was there already but I did it again anyway). I got the SN of the cert and then executed "certutil -repairstore my "SN"" I was then able to execute the "enable-exchangecert..." without error.
I'm not sure if this has "fixed my problems" but it sure helped.

(in reply to g@ctcconsulting.com)

Post #: 4

RE: Trouble with Enable for NEW cert - 18.Feb.2008 10:42:32 AM