cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution

Importing SSL Certificate into Exchange 2016 not working

Trying to import a new SSL certificate into our Exchange 2016 server as the existing one expires in 10 days.  Have the Pending Request made in the Exchange Admin Center and the CSR was uploaded to GoDaddy.

 

Downloaded the files to the server.  Intermediate certificate installed with no issue.

 

Attempting to complete the pending request in Exchange with the .crt file isn't working.  It acts as though it takes it, but the certificate doesn't update.  It still reads "Pending request".

 

I see that the certificate does install into the personal store on the server.  However, it's missing the little lock icon in the upper left-hand corner.  I believe the private key information is missing from the certificate file.  How do we remedy this?

1 ACCEPTED SOLUTION

What do you mean by "serial number matches"?

 

[ not sure if relevant ... try to install the root certificate as  a trusted root ... assuming you got a file that has "root" in the name - untrusted root certificate could cause a rejection. ]

 

Well, it should work ... not that this is of much help.  The first thing that springs to mind is that the certificate is for a wrong CSR / public key. Check that you sent to the CA the correct CSR file. 

 

You can also check that the cert is for the CSR you sent. e.g.. here: https://certlogik.com/decoder/

1. decode the CSR and note the first few bytes (or the first line) of the public key ... you have to scroll down to "CSR Detailed Information" and you want the "Modulus" ... 

2. Then do the same for your cert ... the Modulus inside the "Subject Public Key Info"

3. the modules strings should be the same.

 

 

 

 

View solution in original post

6 REPLIES 6
Resolver III

Hi, 

 

It sounds like you created the CSR in the Exchange server. When you open the list of certificates, select the one that has the "pending request". Find a link / text "Complete", when you click that, it should open a form where you can upload your .crt file.

 

The private key is not in the certificate. When you create a CSR, the Exchange server will generate a private key, will use it to sign the CSR, but the private key itself is securely hidden inside the key/certificate storage of the server. 

 

You can export the private key but it's a separate function - the resulting file will have the extension "p12" or "pfx" - that's the easiest indication whether the file contains a private key.

 

Dan

 

———

I've worked around (not only) SSL security for over 20 years in enterprises and startups. 

I am now running an HTTPS expiry management service KeyChest.net

 

Still not working.

 

I sent in a new certificate request, and had the certificate re-keyed this morning.  Can confirm the serial number matches the new certificate.

 

Went back into Exchange, and followed the Complete link on the pending certificate.  Selected the .crt file provided by GoDaddy.  Still loads into the personal store with no private key.

 

I can export the key from the personal store, but not as a p12 or pfx.  Again, because there is no private key being assigned to it.

What do you mean by "serial number matches"?

 

[ not sure if relevant ... try to install the root certificate as  a trusted root ... assuming you got a file that has "root" in the name - untrusted root certificate could cause a rejection. ]

 

Well, it should work ... not that this is of much help.  The first thing that springs to mind is that the certificate is for a wrong CSR / public key. Check that you sent to the CA the correct CSR file. 

 

You can also check that the cert is for the CSR you sent. e.g.. here: https://certlogik.com/decoder/

1. decode the CSR and note the first few bytes (or the first line) of the public key ... you have to scroll down to "CSR Detailed Information" and you want the "Modulus" ... 

2. Then do the same for your cert ... the Modulus inside the "Subject Public Key Info"

3. the modules strings should be the same.

 

 

 

 

View solution in original post

Well, not sure what our problem was earlier but it's finally up and running.

 

Started another request out of Exchange and did yet another re-key at GoDaddy. Took the advice in your last reply and checked the modulus of the CSR and the incoming GoDaddy cert.  They matched.

 

This time the pending request in Exchange completed, and we have our certificate installed on the server.  We must have been mixing mismatched CSRs and certificates earlier.

 

Thanks for the help. 👍

I have the same issue as the original question, after importing the new .crt from godaddy, it still says "pending".
So I followed your advice and confirmed that the first few bytes do NOT match. What do I do now? Thank you

Exact Same Problem. 

 

Says pending even after sending in a new certificate request, and having the certificate re-keyed. 

 

Went back into Exchange, and followed the Complete link on the pending certificate.  Selected the .crt file provided by GoDaddy.  Still loads into the personal store with no private key.

 

This happens every time GoDaddy. Either fix your process or fix your instructions.