I'm using Palm Centros with Activesync/Exchange 2007 with a Go-Daddy class 2 SSL cert (UCC), so I'm required to use printablestring code rather than UTF-8.If I import/enable the "straight" UCC from Go-Daddy in Exchange Powershell, it works fine. However, I have to create a CSR with the printablestring code so the key ends up being separate. I can combine the key with the .crt file I get from Go Daddy using Openssl to create a PFX file, but I can never import the PFX file using Exchange Powershell.Is there a specific Import cmdlet for PFX to produce the thumbprint? And if so, is there a specific cmlet to Enable using this thumbprint as the next step?If not, has anyone else run into this issue with Palm Centros/Activesync? What did you do to allow access to Eschange?

I think you are asking two questions at once here. Let me make sure I understand:1-Can you use PowerShell to import certs in the pfx format2-Does anyone have experience with activesync issues and palm phones1) I am no certificate expert, but I always thought pfx files were for including the private AND public key. Ive used this format to export a key pair and import it to another server. This doesnt really apply to an Exchange scenario. However you can open certificate manager (mmc, add cert manager snap-in) and import certificates that way. If a cert has a valid public and private key, it will be visable using the get-exchangecertificate command. from there you can do whatever you would normally do.2) I think palm has an issue with UCC certs - they cannot read the alternate names. the workaround is to have the activesync FQDN as the first name in the list (subject name). This way the phone doesnt need to try to parse the additional names. see more here: http://mike-crowley.spaces.live.com/blog/cns!C23CB95E1200929!178.entry Mike Crowley A+, Network+, Security+, MCT, MCSE, MCTS, MCITP: Enterprise Administrator / Messaging AdministratorRead my 2 on the Psychology of a TechNet Forum Thread!

import the PFX file (http://support.microsoft.com/kb/232137) onto your CAS serverthen use the get-exchagecertificate cmdlet to identify your new certificatethen use the the enable-exchangecertificate -thumbprint -servicesis the cn value of your certificate the same as the owa url

Yeah, I guess I am kinda asking two questions as you stated.1) I'm not sure about the public key part, but creating the PFX was a combination of the .crt file I received/bought from Go Daddy and the original .key file I created when I issued a CSR to supply to Go Daddy. Does that make sense? First, I generated a .key file and a .csr. Second, I supplied the .csr to Go Daddy for them to create my .crt file. Third, I used Openssl to combine the .key and the .crt file to create a .pfx file. When I tried to Import the PFX file using Exchange Powershell, it kicked back an error that had to do with the private key. However, if I tried to Import the .crt file, it worked fine.2) The UCC has the activesync FQDN as the first name, so hopefully that won't be an issue. A UCC is what Go Daddy told me I had to use with Exchange as my wildcard cert wouldn't work for the Centros (for along the same lines as what you mentioned).If this doesn't make any sense, let me know and I'll try to elaborate. We are getting ready to go live in Sept. and everything is up and running great except the Centro/Activesync connectivitiy.

This didn't work for meunfortunately. I'm not able to work with the cert in IIS 7 - it keeps kicking errors back at me. Because it is a UCC specifically for Exchange, I have to use the Powershell. When I tried using the Enable command in powershell with the PFX it errored out.

you need to open a management console and addthe certificates snap-in for the computer accountthen go to the personal certifcate store, right-click and import selecting your pfx file

You're doing someonething wrong, you shouldn't need to use openssl at all. From what you're doing you're not including the private key and you're probably getting something like you're missing a private key when you try to import using the shell. All you need to do is import the certificate given to you by Go daddy in thecertificates mmc and export it as a pfx file INCLUDING the private key.1. start run type mmc 2. File add remove snap in3. Add certificate choose computer account4. Expand personal -->certificates. If your Go daddy cert is there, right click, all tasks export. Export the private key.James Chong (MVP) MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

So the Palms do not trust this cert? Exporting to a pfx is a rather simple process with Powershell. ( I guess you had no issues importing the orginal returnedcert) Why the need to import again as a pfx? I assume when you generated the original GoDaddy request you set privatekeyExportable:$true ?I'm a little confused why the need to do all this.

Yes, I suppose there's an update. I'm really new to this, so if it seems like everything I've done has been wrong, it's because I'm basically learning as I go.When I created the CSR I used Openssl because it was the only way I could find tocreate a printablestring certificate - which is required by Palm Centros. Using this method, I didn't have the option to set the privatekey to exportable, which is why I had to create a PFX file when I downloaded the Go Daddy certificate - to tie the key back to the cert.I figured out what I was doing wrong when trying to import the PFX using Exchange powershell, but I still couldn't enable it - it errored out with an accessiblekey error.However, none of this matters anyway - I've been on the phone with Sprint and they've been in contact with Palm. Palm stated specifically that Go Daddy certificates are not supported at all and that if I wanted it to work, I would need to buy a different third-party certificate. Everything I've done up to this point has been a waste of time.I would rather pick up a new, different set of phones/PDAs at this point rather than deal with Palm any more.