Re: [Exchange] Certificate Renewal Issue

[Dean]

http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
http://support.microsoft.com/kb/938397



You likely need 938397 installed. That fixed a non exchange related 
issue for us where a customer with a 2003 IIS webservice box was trying 
to connect to one of our https sites that was renewed with an sha256 
certificate.



On 2/13/2014 8:56 AM, Mayo, Bill wrote:

Yes. It doesn't like them.  Problem appears to be an issue with 
Windows 2003 and SHA256.  Found some hotfixes, but I have a newer 
crypt32.dll than indicated, and I am still trying to figure out what I 
actually need.

*From:*listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Michael B. Smith
*Sent:* Thursday, February 13, 2014 9:50 AM
*To:* exchange@lists.myitforum.com
*Subject:* RE: [Exchange] Certificate Renewal Issue

Did you load new intermediates on the ISA server?

*From:*listsad...@lists.myitforum.com 
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Mayo, Bill
*Sent:* Thursday, February 13, 2014 9:05 AM
*To:* exchange@lists.myitforum.com
*Subject:* RE: [Exchange] Certificate Renewal Issue

I initially did a renewal request.  When I went to GoDaddy and pasted 
in this renewal request, it complained because of the non-FQDN.  I 
contacted support, they told me to go into the existing certificate on 
GoDaddy and request removal of that name, which I did.  This gave me a 
new certificate to download, and I was trying to figure out how to get 
it into Exchange to do a renewal on it instead.  Based on the 
follow-up call with GoDaddy, I did a new request, which naturally had 
a pending request that I completed.  That is all OK.

I do, however, have a new problem.  Everything seems OK on my Exchange 
Servers, but ISA doesn't seem to like the intermediate certs.  I did 
the same process on all the servers to do the import, but on the ISA 
Server, the intermediate certificates show "The integrity of this 
certificate cannot be guaranteed.  The certificate may be corrupted or 
have been altered." The only thing that comes to mind is that the 
Exchange boxes are Windows 2008 and the ISA box is still 2003.  I'm 
trying to research that now.

*From:*listsad...@lists.myitforum.com 
<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Michael B. Smith
*Sent:* Wednesday, February 12, 2014 8:14 PM
*To:* exchange@lists.myitforum.com <mailto:exchange@lists.myitforum.com>
*Subject:* RE: [Exchange] Certificate Renewal Issue

Bill --

How did you create the certificate request?

If you did it through Exchange, you WILL have a pending request.

If you did not do it through Exchange, then we need to look elsewhere.

Regards,

Michael B.

*From:*listsad...@lists.myitforum.com 
<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Mayo, Bill
*Sent:* Wednesday, February 12, 2014 12:54 PM
*To:* exchange@lists.myitforum.com <mailto:exchange@lists.myitforum.com>
*Subject:* RE: [Exchange] Certificate Renewal Issue

Thanks, Steve.  I have heard good things about 
certificatesforexchange.com, but initial decision was made by someone 
else and we already paid for the renewal.  I did contact support.  The 
answer is that I had to create a new request, which I was trying to 
avoid.  Hope I didn't screw it up.

*From:*listsad...@lists.myitforum.com 
<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Steve Ens
*Sent:* Wednesday, February 12, 2014 10:48 AM
*To:* exchange@lists.myitforum.com <mailto:exchange@lists.myitforum.com>
*Subject:* Re: [Exchange] Certificate Renewal Issue

Hi Bill.

Certificatesforexchange.com is the way to go.  You have issues, they 
walk you through it.  And they're a great price too.  Try calling 
godaddy.  Perhaps they'll assist?

Steve

On Wed, Feb 12, 2014 at 9:40 AM, Mayo, Bill 
<bill.m...@pittcountync.gov <mailto:bill.m...@pittcountync.gov>> wrote:

It is time to renew our Exchange 2010 certificate and I am having an 
issue related to a non-FQDN alternative name that was on the existing 
certificate.  The original certificate was created by an outside 
organization and they included this on the cert that was done through 
GoDaddy.  I purchased a renewal already, but in trying to complete the 
process, GoDaddy complained about the no longer supported name.  They 
advised I would need to remove the name on the existing cert and 
re-download.  I have done that.  However, I am stuck trying to get 
this cert to replace the one I have in Exchange.  They are providing a 
".crt" file and their instructions indicate to use the "complete 
pending request" option, which I don't have.  If I try to import it 
straight into Exchange, it doesn't like it.  I have done some 
googling, but I am not clear on what the next step is.  As you can 
tell, I only know enough about certificates to be dangerous.

Bill Mayo