The CSR code is required for SSL Certificate activation. This can be generated using Exchange Management Shell (EMS). You can find it at ‘Start’ > ‘All Programs’ > ‘Microsoft Exchange Server 2007’ > ‘Exchange Management Shell’.
The 'GenerateRequest' parameter for this cmdlet is used for the CSR code generation. The 'SubjectName' parameter should contain all of the required details, which will be used within the certificate.
The details you will need to provide will use the following abbreviations:
- 'CN' = Domain Name you need Certificate for (fully qualified domain name[FQDN]);
- ‘C’ = two letter Country code;
- ‘S’ = name of the State;
- ‘L’ = name of the Locality/City;
- ‘O’ = name of your Organization/Company
- ‘OU’ = Organization Unit (Support, Sales, IT and etc.)
An example command to generate a certificate signing request would be: New-ExchangeCertificate -GenerateRequest -SubjectName "C=IN, S=Maharashtra, L=Mumbai, O=Mumbai Hosting, OU=SSL Support, CN=www.mumbaihosting.com" -KeySize 2048 -Path c:\www.mumbaihosting.com.req -PrivateKeyExportable $true
* bold text should be changed to the valid details about your own organization/company;
* In accordance with the Certificate Authorities policy change, starting from December 20, 2010, SSL Certificates can not be issued using CSR codes less than 2048-bit.
* parameter -Path c:\www.example.com.req is used to specify the location of the future CSR code;
* parameter -PrivateKeyExportable $true will enable export of the Certificate to another server or backup the RSA Private Key.
As result, CSR file named [www.example.com.req] in the root of your C: drive, it can be opened with any text editor such as Notepad. Content of that file should be pasted into correspondent box during the Certificate activation including header and footer: -----BEGIN CERTIFICATE SIGNING REQUEST----- and ----- END CERTIFICATE SIGNING REQUEST----- .
We recommend using the Exchange Management Shell for installation of the SSL Certificate on a server with Exchange 2007.
In the same way as the CSR code generation, you will need to use commands with the corresponding parameters of the cmdlet. First, make sure that you have saved the Validated Certificate, which was sent to you by the Certificate Authority, to the root directory of the C drive. That file should be in format suitable for the Exchange server, this can be either .cer, .p7b or .p7s .
Next, import of the saved SSL Certificate. For this, open EMS (Exchange Management Shell):
Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell
and then run two commands together - one for the installation of the Certificate at the server and one enabling it for the required services. Both commands should be in the same line, separated by a pipe character:
Import-ExchangeCertificate -Path C:\www.example.com.cer | Enable-ExchangeCertificate -Services "SMTP, IMAP, POP, IIS"
- C:\www.example.com.cer – path to the saved validated SSL certificate;
- "SMTP, IMAP, POP, IIS" – all the required services should be mentioned.
If you are installing a Comodo Certificate: After installation you will need to follow the procedure outlined in "Root and Intermediate Certificate installation via MMC", with the other files that you have been sent, in order to complete the installation.
Installation of the Certificate can be verified by command:
Get-ExchangeCertificate -DomainName www.example.com
In the Services column you will see SIP and W which stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn't properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as:
Enable-ExchangeCertificate -ThumbPrint [paste] -Services "SMTP, IMAP, POP, IIS"
If the installation returned the error message: “The certificate with thumbprint [XXX] was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing)” then use one of the solutions below, depending on the reason for the error.
- CSR code and RSA Key pair was generated at another server. In this case, you need to import your key before the installation;
- RSA Key was lost/deleted. In this case, enabling of the Certificate is not possible. You need to reissue the certificate using a new CSR code, generated via EMS;
- If none of the above explanations describe your situation, and you are not able to detect the issue, try to run the command certutil -repairstore my "YourSerialNumber" command (quotes included). If your private key was somehow corrupted, but is still on the server, this command will resolve the issue. If the key is corrupted, the certificate icon will be missing the golden key in ‘Personal Certificates’ in mmc).
Here is a more detailed instructions on how to resolve the issue defined in the last case:
- Enter MMC (Microsoft Management Console) > add the Certificate Snap-In for the Local Computer account > double-click on the imported certificate in Personal Certificates > select the ‘Details’ tab > click on the ‘Serial Number’ field and copy that string.
- Type: certutil -repairstore my "YourSerialNumber"
- After that, go back to the MMC and right-click Certificates and select Refresh
- Double-click on the problem certificate. At the bottom in General tab you will see: "You have a private key that corresponds to this certificate."
- The Private Key is attached to the certificate now. Try to install Certificate once again.
- As an alternative, to confirm that all required steps have been completed, and that the certificate is both installed and operational, run the following command:
Get- ExchangeCertificate <ThumbPrint> | fl