I had a customer come to me with the need to renew their Exchange SSL certificate. Since they needed to add additional SAN names to the request, they had created a new certificate request instead of clicking renew on the current certificate. The process was followed through getting the certificate from the 3rd party vendor and then it came time to complete the pending certificate request.
The customer had created a couple of certificate requests because the fist one did not contain the correct subject alternative names and so they cleaned up the pending requests…they cleaned up the one that was needed as well! This means that importing the request to Exchange will fail because the private key is no longer available to Exchange.
One option could have been to do another certificate request and not delete it this time but they asked if there was any way to use their current certificate and fix their issue.
I went back to an article for IIS 6.0 on TechNet pertaining to this same issue only in IIS and thought I would give it a shot. I had used it years ago but not with Exchange. This actually worked perfectly with a few additional steps so I wanted to document in case anyone else found themselves in this odd situation.
- Initial Exchange certificate request which will be the file with a .cer extension
- command line access on a windows server. this can be on the exchange server.
Repairing your certificate
- At the command prompt, navigate to c:\windows\system32
- type certutil -addstore my c:\….\certnew.cer – thisis the parth to your .cer file
- Open up the .cer file and navigate to the details tab. Find the certificate thumbprint and copy it
- return to the command prompt and type: certutil -repairstore my “”
- Your certificate will now be in the personal store of the computer you are on.
- Open an mmc.msc console and add the certificates snap-in (chose local computer)
- navigate to the personal store and find your certificate
- right-click on the certificate and go to properties
- Enter a friendly name for the certificate and click OK.
- Finally, Export the certificate as .pfx with the private key and provide a password
Importing certificate into Exchange 2013
- Navigate to the ECP webpage
- go to Servers -> certificates
- click on the ellipsis … and “Import Exchange Certificate”
- Enter the path to the .pfx file and enter the password
- Select the servers to import the certificate into
- Finish out the import process
At this point you are able to move services to this new certificate and are ready to rock and roll!