According to the MSDN article Renew an Exchange Certificate, I'm supposed to use
Get-ExchangeCertificate -Thumbprint 'AD19B141228C7CF98B5F78DCED978B7C45E15434' | New-ExchangeCertificate -GenerateRequest -PrivateKeyExportable $true
This will generate a CSR for me, which I send to our SSL certificate reseller through their SSL certificate renewal website. That site then promptly returns the following error:
[20022] CSR Country code invalid
Which isn't surprising, because the CSR doesn't contain any country code as far as I can tell.
In the past years, I've just bought a new certificate and replaced the old one. But I'd really like to understand what's going wrong with this renewal process.
Best Answer
As far as I know, this is supposed to grab your existing certificate, and make a new CSR with the same information (and I think a new key?).
Take a look at the output of
Get-ExchangeCertificate
and see if it contains a country code (C=XX
appears in the subject DN of the certificate where XX is a 2-letter country code). If it does not, your old certificate didn't have one and you should make a new one with it. If it does, you might have found a bug and you won't be able to use this method.Either way, it seems you should create a fresh new CSR.