If you have a UCC certificate with multiple server names in the SUBJECT ALTERNATIVE NAMES and you want to apply that certificate to more than one server, you cannot do it through the Exchange Management Console GUI. If you try to IMPORT the certificate that was created from a Certificate Request made on a different server, using the Exchange Management Console, the certificate WILL import without error but it will not appear in the EMC > SERVER CONFIGURATION > <server> < EXCHANGE CERTIFICATES tab. This means that you cannot ASSIGN SERVICES TO CERTIFCATE.
The reason is that when you EXPORT a certificate through the EMC, it does not include the private key. Fortunately this is easily worked around. You must use the CERTIFICATES MMC to apply a certificate to more than one Exchange server.
- Connect to the server that already has the certificate correctly installed (the one that the CSR for the cert was created on)
- Click START, type MMC and click on it.
- Click FILE, ADD/REMOVE SNAPIN (in the MMC)
- Double click on CERTIFICATES from the AVAILABLE SNAP-INS list
- Select COMPUTER ACCOUNT
- Select LOCAL COMPUTER (this is the default)
- Click the FINISH button
. - Expand CERTIFICATES > PERSONAL > CERTIFICATES
- Right click on the Cert in question and select ALL TASKS > EXPORT
- Select YES, EXPORT THE PRIVATE KEY and click NEXT
- Select INCLUDE ALL CERTIFICATES… and EXPORT ALL EXTENDED PROPERTIES
- Type in any password you can remember
- Click BROWSE and enter the file name
. - Copy the resulting .PFX certificate to your second server and run through steps 1 through 7 above to open the CERTIFICATES MMC on that second server. Note that if you see the certificate in question already in place, you need to remove it so right click on it and select DELETE
- Expand CERTIFICATES > PERSONAL > CERTIFICATES
- Right click on the Cert in question and select ALL TASKS > IMPORT
- Browse to the .PFX you created in step 13 above. Note that you will have to change the FILE TYPES drop down to ALL FILES.
- Complete the wizard as is obvious
. - Go back to your Exchange Management Console and expand SERVER CONFIGURATION > <server> < EXCHANGE CERTIFICATES tab
- Right click on the cert and select ASSIGN SERVICES TO CERTIFICATE. Note that if you do not see the certificate there, right click and select REFRESH.
- Bingo Bongo, you are donzo
From my testing and reading, this process will be successful on Exchange 2010, Exchange 2013 and Exchange 2016
I hope this helps.
0 Comments