Exchange 2010 will be out soon, and i’ve been preparing for the migration. One of the more important parts is that you will need to have both Exchange 2007 and Exchange 2010 client access servers accessible from the Internet.
If you’re following the recommended deployment method for Exchange 2007, you’ll already be using a SAN certificate in order to publish AutoDiscovery and OWA. For coexistence of Exchange 2007 and Exchange 2010, an additional name will need to be added to your SAN certificate.
With most CAs, this is a pretty straightforward process that can be done using their web interface, since the private key doesn’t need to be touched. After modifying this, you will get a new .crt file containing the certificate, but no private key (which is correct).
However, importing this into Exchange 2007 using Import-ExchangeCertificate doesn’t work – Windows won’t know which private key is associated with the newly imported certificate. When you try to use Enable-ExchangeCertificate, you will receive the following error message:
Enable-ExchangeCertificate : The certificate with thumbprint 1234 was found but is
not valid for use with Exchange Server (reason: PrivateKeyMissing).
I searched high and low on how to replace a certificate without touching the private key, but i didn’t find anything. So i turned to the community for support – MCSEBoard.de is an excellent Windows community for those who speak German.
Unfortunately, noone knew an easy way either – the suggestion was to use OpenSSL to create a new keystore.
This was rather easy, but i didn’t find any guides on the net on how to do this, so i’m publishing this here in the hope that it will help others with the same issue.
- First, you need to export the key including the private key using the Windows certificate manager. Open an elevated MMC, add the Certificate snap-in and focus on the Computer certificate. Click “Personal”, and then export the certificate with the private key.
- Download and Install OpenSSL for Windows
- Issue the following command: openssl pkcs12 -in mykey.pfx > out.txt
- Open out.txt using an LF-aware text editor, such as Notepad++. Save the PRIVATE KEY part to a textfile called key.pem.
- Save the certificate to a file called cert.crt
- Issue to the following command: openssl pkcs12 -export -in cert.crt -inkey key.pem -out newcert.p12
- Copy the newly created newcert.p12 to the Exchange server.
- Open PowerShell and run the following command: $secureString = ConvertTo-SecureString "blubb" -AsPlainText -Force – Replace “blubb” with the Passphrase you used in the step before
- Run Import-ExchangeCertificate -path newcert.p12 -pass $secureString to import the certificate back into Exchange
- The rest is as usual – use Enable-ExchangeCertificate to enable the certificate.
And that’s it. It might be a bit cumbersome – and i really hope that there is an easier way to to this. If you know, let me know so i can update this page.