How to renew the SSL certificate used on our Exchange server

exchange-2010ssl-certificatex509

According to the MSDN article Renew an Exchange Certificate, I'm supposed to use

Get-ExchangeCertificate -Thumbprint 'AD19B141228C7CF98B5F78DCED978B7C45E15434' | New-ExchangeCertificate -GenerateRequest -PrivateKeyExportable $true

This will generate a CSR for me, which I send to our SSL certificate reseller through their SSL certificate renewal website. That site then promptly returns the following error:

[20022] CSR Country code invalid

Which isn't surprising, because the CSR doesn't contain any country code as far as I can tell.

In the past years, I've just bought a new certificate and replaced the old one. But I'd really like to understand what's going wrong with this renewal process.

Best Answer

As far as I know, this is supposed to grab your existing certificate, and make a new CSR with the same information (and I think a new key?).

Take a look at the output of Get-ExchangeCertificate and see if it contains a country code (C=XX appears in the subject DN of the certificate where XX is a 2-letter country code). If it does not, your old certificate didn't have one and you should make a new one with it. If it does, you might have found a bug and you won't be able to use this method.

Either way, it seems you should create a fresh new CSR.

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Tomcat – Import private key and certificate into Tomcat

All you need to do is this for a Tomcat server:

Start with the original keystore that you used to create your CSR. This keystore has on private key in it with the alias called "tomcat"
From your certificate reply you will have a reply-cert , a intermediate (probably) , and also a root cert that are 3 separate files.
use keytool -import root cert with alias "root"
use keytool -import intermediate cert with alias "intermediate"
finally use keytool -import cert-reply.crt into keystore with alias "tomcat". this action imports the cert reply into position on top of the cert you generated when you created the keystore. this action will generate a certificate chain of length 2 or 3
use keytool -list to see the contents and the chain

NOTE: for an Apache server, the steps are a bit different.

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

Tomcat – Import private key and certificate into Tomcat

Related Topic