Today I was playing around with Exchange 2010 Certificates in my labs. My lab contains simple setup as below:
|ExchangeDC||Windows Server 2003 SP1||DC,GC, CA|
|Exchange2003||Windows Server 2003 SP1||Exchange 2003 SP2|
|Exchange2010||Windows Server 2008 R2||Exchange 2010 RTM|
In above setup the domain controller is also an Enterprise Root CA. I requested a new certificate from my internal CA and wanted to import it and then enable it for services on my Exchange server 2010 box. Something was going wrong and the certificate didn’t have a private key. After downloading the certificate the certificate had that “You have a private key that corresponds to this certificate.” missing from certificate. Just as shown below
Now the trouble was the pending request in EMC could yet import this certificate but didn’t let me assign it to the services. After spending good 2 hours at my own I found a solution at https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1188
So here is the simplest way to overcome this problem.
- Download the certificate and store it at some place on the server.
- Click Start –> Run and then type MMC, press Enter.
- In the MMC Snap In click File Menu and then select Add/Remove Snap-in…
- Select Certificates.
- Click Add button.
- Select Computer account from the popped up dialog box.
- Click Finish and click OK
- Expand Certificates –> Personal –> Certificates
- Right click in the right hand side pane of the MMC Snap-in and select All Tasks –> Import…
- Specify the file path in the wizard that will pop up and Finish the wizard.
- You should see the certificate that has the little golden key icon missing. The other certificate you may see is the self-signed certificate generated during exchange installation.
- Now double click on the newly imported certificate and select the Details tab.
- Click Serial Number and write down this value or simply copy and paste it into a notepad file. Please note that you will not be allowed to copy using mouse. You can use Ctrl+C instead.
- Open command prompt and type certutil –repairstore my “serial number of certificate” and press enter.
- Now, refresh the Certificates MMC and you should see the private key paired with the certificate.
- In Certificates MMC right click on the same certificate and select All Tasks –> Export…
- Export this certificate into a .pfx file with below options selected during the export wizard.
- Yes, Export the private key on Export Private Key page.
- Include all certificates in certification path if possible on Export File Format page.
- Export all extended properties on Export File Format page.
- Enter the password.
- Select the path where the pfx file will be stored and complete the wizard.
[PS] C:>Import-ExchangeCertificate -FileData ([Byte]$(Get-Content -Path "C:UsersAdministrator.EXCHANGEDesktopexchangecert.pfx" -Encoding byte -ReadCount 0)) -Password:(Get-Credential).password
The credentials prompt will pop up. Enter the credentials as the currently logged on user and the password that was specified for the pfx file during export. If the credentials are correct the output should be as below:
Next, you can enable this certificate for the services you want to use it for. Again, simply open the EMS and run Enable-ExchangeCertificate -Server ‘EXCHANGE2010’ -Services ‘IMAP, POP, IIS, SMTP’ -Thumbprint ‘E7DD3356F1DC4359D9AAFD18BC7E36C06C7FC418’