Hi, some time ago I created a certificate for an exchange 2007 server and got it signed by a third party CA. Now this certificate is going to expire in some weeks time, so I have to renew the certificate. From other server systems (mainly OpenSSL based) I am used to being able to replace the certificate file (containing the public key) and keep the private key, so no new CSR is required. However, I have not yet found a way to do so with Exchange 2007. When I import the renewed certificate, Exchange is complaining about the missing private key (obviously the signed certificate does not contain the private key). Is there a way to combine the currently used private key with the new certificate, or is it inevitable always to generate a new CSR for renewing a certificate? Thanks in advance!

Copy the Entrust Unified Communications Certificate (UCC) and be sure to include the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. Paste the Entrust Unified Communication Certificate into a text editor such as Notepad and ensure that the entire text is flushed to the left with no leading or trailing white space. Save the certificate file as .cer or .crt Once you have saved the certificate file to your computer, you must then install the certificate with the Import-ExchangeCertificate cmdlet. Important:Do not use the Certificate snap-in to import the certificates for any service on an Exchange server. Using the Certificate snap-in to import certificates on Exchange servers will fail. Therefore, TLS or other Exchange certificate services will not work. The following example shows how to import a certificate for SMTP TLS:Import-ExchangeCertificate -Path c:\certificates\mail1.entrust.com.cer you also want to get the thumbprint of the certificate as you will need that to enable the certificate for the services. Use this line to get the thumbprints. Get-ExchangeCertificate That will give you a list of thumbprints. If you are not sure which you are looking for go into the gui and open the cert and select details. From there you can see the thumbprint to compare. Then enable services: Enable-ExchangeCertificate -Services SMTP remember you may need the service on more services than smtp

Hi Mike, Please let me know if the above procedure will not work for you. I will send you full procedure step wise. Thanks. Regards, Sunil Bansal.

Actually Import-ExchangeCertificate does not properly work with crt files if there is no request open, because then there is no private key. The certificate will be imported, but unusable for Exchange. However, I managed to solve the problem myself now. I exported the old certificate as .pfx file, converted this file using OpenSSL to the PEM format, cut the old certificate and pasted the new one into the file (leaving the private key untouched) and converted this back to .pfx, which Exchange happily imports. It works fine, but is rather hard work compared to other server systems where it is sufficient to replace the ssl.crt file and leave a ssl.key file in place.

Its great that you resolved the problem. We have done the installation of certificate on our exchange server. Please find the procedure below.Entrust SAN CERT Installation Procedure For Client Access Server (CAS)Prepared by Vamsi Installation Procedure is done in three major Stages Obtaining and importing of the CertificateRemoval/Replace, Installation and of CertificateValidation of the Outlook Web Access Functionality Stage 1 - Obtaining and Importing of the Certificate The certificate when issued to us will be delivered through an Email with Order id as subject as a web link to the certificate requesters Dave Dovola, Gary Tierney (below is the screen shot of the email from Entrust listing the web link of the certificate) Once we receive the certificate link, click on the link and you will find the certificate in the web page and basic instructions will also be given (Below is the Screen shot) Copy the Entrust Unified Communications Certificate (UCC) and be sure to include the "----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" linesPaste the Entrust Unified Communication Certificate into a text editor such as Notepad and ensure that the entire text is flushed to the left with no leading or trailing white space. Save the certificate file as .cer or .crt The Certificate Import is very important part, if the certificate import is done incorrectly the Private key which is very essential would be lost.The Private Key is said to be on the server but it should be binded onto the certificate for the OWA site to be functional and secure communication.The Import of certificate on the Exchange 2007 Servers should only be performed via Exchange Command Shell to properly bind the private key onto the certificate.Steps for Importing certificate: 1.Open the Exchange Command Shell and run the below import command on the CAS server Import-ExchangeCertificate -Path c:\EntrustSanNewCert.cer(Note : Do not Leave any spaces in the Certificate name or else below error will be encountered.)Once the import is done successfully it will return back to the prompt again.Validate the Import by running the below commandGet-ExchangeCertificateThe Validation will be more easy when seen from the certificate store on the server and should be done to make sure that the certificate is imported along with the Private key.Steps to view the certificate from certificate store Click On then click Then type MMC Click OkOnce a new Window Pops UpClick on Console and Select Add/Remove Snap-inIn the Next Screen Click on Add, then Select Certificates In the pop up Window and Click Add Once the See the Certificates on the left hand side, Click Add Next Pop Up Screen Choose -> Computer Account Click NextChoose Local Computer, Click FinishClick CloseClick OKClick on Ok and return back to the Start Screen End of Stage 1 Stage 2 - Removal/Replace, Installation and of CertificateNote : Installation of the Certificate can also be done via the Exchange Command Shell by the Instructions given by Entrust, but as per the experience while installing the certificate on TCORP we have done the removal and installation of the certificate via Internet Information Services (IIS) Manager.Steps for Removing the previous Certificate:Open Internet Information Services (IIS) Manager Click on Start Click RunType inetmgr, which will open the Internet Information Services (IIS) Manager Browse thru the websites folder and right click on Default Web SiteOn the new Pop up Window Select Directory Security Tab, then Click On the Server Certificate ButtonOn the Next Pop Up Window Web Server certificate Wizard Click Next On The Next Pop up Window Select Remove the current certificate Click NextOn the next Pop up Window, Click Next to remove the certificate Click Finish, the certificate will be now removed completely on the default web site. Steps to Install New Certificate:Click On the Server Certificate Button again Choose Assign an existing Certificate Click NextSelect the newly imported certificate by the expiry date Click NextIn the Next Window Select the Port number to be 443 (Secured Socket Layer Port)Click NextIn the Next Screen of the Installation Wizard it will show the Essential details of the certificate which is selected for installation. If you have chosen the wrong certificate you can go back to choose the Valid certificate.Next Window is the Certificate installation Completion Wizard, Click Finish Validate the Installed certificate by clicking on the View Certificate Button under Server Certificate. Check the Date of Expiry of the Certificate and the Private Key Steps to Export a Certificate:Open the Default Web Site PropertiesClick On Server Certificate Button, Select the Option Export the Current certificate to a .pfx fileClick NextIn the Next Screen Select the File name and the Path Where to Export the Certificate to In the Next Screen Enter the Password to Encrypt the exported Certificate with Click Next Note: If the Certificate is exported for the first time and additional window appears , you need to choose the option of Export with the private key (It is advisable ever that the certificate should be exported with the Private key)The Next Pop up Window Click Finish This finishes the export of the certificate and the import on the other server should be done using the exported .pfx file.The certificate is imported and installed onto the server xxxxx from the Exported .pfx file which was installed previously on xxxxx. Steps to import Certificate from the .pfx file:Open the Certificate Store as done earlier from Start->Run->Type MMC->Add Certificates Right Click on the Certificates -> Click Import The Certificate Import Wizard will appears, press Next to get past the Welcome page. The Next window will ask for the .pfx file that you exported from IIS. Find the file and press NextOn the next page enter your password for the certificate. This is the password you used when you created the certificate on your IIS server for the every first time. Note that in none of the steps above you provide a password -- this is because passwords are not provided on exportation, they are done on creation.Note : Please do not Forget the Password as the certificate cannot be imported without the password and if you do forget you have to export the certificate again and it is not advisable to export the certificate many a times.On the next Window, follow the defaults and choose "Place all certificates in the following store" and choose Next.Once the Certificate is placed in the Certificate store through import process check the certificate for the private key again (by default the certificate should have the Private key as we have done it throught the certificate export process) Next follow the Installation steps given earlier to Install the certificate. End of Stage 2 Stage 3- Validation of the Outlook Web Access FunctionalityOnce the Certificate install is complete it should be validated to make sure that the OWA site can only be accessed over a secured channel and not over a non-secure channel.Open Internet Explorer and try to access the OWA Link with http://mail.yourserver.com it will result in the page must be viewed over a secure channel, as http refers to port number 80 and is not a secured channel. Try accessing OWA with https:/mail.yourdomain.com which should bring the below screen coming up using the secured channel HTTPS through port 443 The Certificate is now successfully Installed on the CAS servers and the Post Implementation Testing is also Complete.As Environment has ISA 2006 Servers the Certificate needs to be installed on them as well.The Exported Certificate will be Provided to the Concerned team to install the Certificate on the ISA Servers.

Faster way than using OpenSSL is going with procedurehttp://support.microsoft.com/kb/889651. You must check serial number ofnew certificate and with certutil -repairstore my "serialnumber" you add private key created with old certificate request. After this you can go to Exchange Management Shell and enable-ExchangeCertificate for modified certificate.Regards, Konrad Sagala, MCT, 5xMCITP, MCTS: Exchange 2010