If you have a UCC certificate with multiple server names in the SUBJECT ALTERNATIVE NAMES and you want to apply that certificate to more than one server, you cannot do it through the Exchange Management Console GUI.  If you try to IMPORT the certificate that was created from a Certificate Request made on a different server, using the Exchange Management Console, the certificate WILL import without error but it will not appear in the EMC > SERVER CONFIGURATION > <server> < EXCHANGE CERTIFICATES tab.  This means that you cannot ASSIGN SERVICES TO CERTIFCATE.

The reason is that when you EXPORT a certificate through the EMC, it does not include the private key.  Fortunately this is easily worked around.  You must use the CERTIFICATES MMC to apply a certificate to more than one Exchange server.

  1. Connect to the server that already has the certificate correctly installed (the one that the CSR for the cert was created on)
  2. Click START, type MMC and click on it.
  3. Click FILE, ADD/REMOVE SNAPIN (in the MMC)
  4. Double click on CERTIFICATES from the AVAILABLE SNAP-INS list
  5. Select COMPUTER ACCOUNT
  6. Select LOCAL COMPUTER (this is the default)
  7. Click the FINISH button
    .apply-one-certificate-to-two-exchange-servers
  8. Expand CERTIFICATES > PERSONAL > CERTIFICATES
  9. Right click on the Cert in question and select ALL TASKS > EXPORT
  10. Select YES, EXPORT THE PRIVATE KEY and click NEXT
  11. Select INCLUDE ALL CERTIFICATES… and EXPORT ALL EXTENDED PROPERTIES
  12. Type in any password you can remember
  13. Click BROWSE and enter the file name
    .
  14. Copy the resulting .PFX certificate to your second server and run through steps 1 through 7 above to open the CERTIFICATES MMC on that second server.   Note that if you see the certificate in question already in place, you need to remove it so right click on it and select DELETE
  15. Expand CERTIFICATES > PERSONAL > CERTIFICATES
  16. Right click on the Cert in question and select ALL TASKS > IMPORT
  17. Browse to the .PFX you created in step 13 above.  Note that you will have to change the FILE TYPES drop down to ALL FILES.
  18. Complete the wizard as is obvious
    .
  19. Go back to your Exchange Management Console and expand SERVER CONFIGURATION > <server> < EXCHANGE CERTIFICATES tab
  20. Right click on the cert and select ASSIGN SERVICES TO CERTIFICATE.  Note that if you do not see the certificate there, right click and select REFRESH.
  21. Bingo Bongo, you are donzo

From my testing and reading, this process will be successful on Exchange 2010, Exchange 2013 and Exchange 2016

 

I hope this helps.

 


0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *