http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx
http://support.microsoft.com/kb/938397
You likely need 938397 installed. That fixed a non exchange related
issue for us where a customer with a 2003 IIS webservice box was trying
to connect to one of our https sites that was renewed with an sha256
certificate.
On 2/13/2014 8:56 AM, Mayo, Bill wrote:
Yes. It doesn't like them. Problem appears to be an issue with
Windows 2003 and SHA256. Found some hotfixes, but I have a newer
crypt32.dll than indicated, and I am still trying to figure out what I
actually need.
*From:*listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Michael B. Smith
*Sent:* Thursday, February 13, 2014 9:50 AM
*To:* exchange@lists.myitforum.com
*Subject:* RE: [Exchange] Certificate Renewal Issue
Did you load new intermediates on the ISA server?
*From:*listsad...@lists.myitforum.com
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Mayo, Bill
*Sent:* Thursday, February 13, 2014 9:05 AM
*To:* exchange@lists.myitforum.com
*Subject:* RE: [Exchange] Certificate Renewal Issue
I initially did a renewal request. When I went to GoDaddy and pasted
in this renewal request, it complained because of the non-FQDN. I
contacted support, they told me to go into the existing certificate on
GoDaddy and request removal of that name, which I did. This gave me a
new certificate to download, and I was trying to figure out how to get
it into Exchange to do a renewal on it instead. Based on the
follow-up call with GoDaddy, I did a new request, which naturally had
a pending request that I completed. That is all OK.
I do, however, have a new problem. Everything seems OK on my Exchange
Servers, but ISA doesn't seem to like the intermediate certs. I did
the same process on all the servers to do the import, but on the ISA
Server, the intermediate certificates show "The integrity of this
certificate cannot be guaranteed. The certificate may be corrupted or
have been altered." The only thing that comes to mind is that the
Exchange boxes are Windows 2008 and the ISA box is still 2003. I'm
trying to research that now.
*From:*listsad...@lists.myitforum.com
<mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Michael B. Smith
*Sent:* Wednesday, February 12, 2014 8:14 PM
*To:* exchange@lists.myitforum.com <mailto:exchange@lists.myitforum.com>
*Subject:* RE: [Exchange] Certificate Renewal Issue
Bill --
How did you create the certificate request?
If you did it through Exchange, you WILL have a pending request.
If you did not do it through Exchange, then we need to look elsewhere.
Regards,
Michael B.
*From:*listsad...@lists.myitforum.com
<mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Mayo, Bill
*Sent:* Wednesday, February 12, 2014 12:54 PM
*To:* exchange@lists.myitforum.com <mailto:exchange@lists.myitforum.com>
*Subject:* RE: [Exchange] Certificate Renewal Issue
Thanks, Steve. I have heard good things about
certificatesforexchange.com, but initial decision was made by someone
else and we already paid for the renewal. I did contact support. The
answer is that I had to create a new request, which I was trying to
avoid. Hope I didn't screw it up.
*From:*listsad...@lists.myitforum.com
<mailto:listsad...@lists.myitforum.com>
[mailto:listsad...@lists.myitforum.com] *On Behalf Of *Steve Ens
*Sent:* Wednesday, February 12, 2014 10:48 AM
*To:* exchange@lists.myitforum.com <mailto:exchange@lists.myitforum.com>
*Subject:* Re: [Exchange] Certificate Renewal Issue
Hi Bill.
Certificatesforexchange.com is the way to go. You have issues, they
walk you through it. And they're a great price too. Try calling
godaddy. Perhaps they'll assist?
Steve
On Wed, Feb 12, 2014 at 9:40 AM, Mayo, Bill
<bill.m...@pittcountync.gov <mailto:bill.m...@pittcountync.gov>> wrote:
It is time to renew our Exchange 2010 certificate and I am having an
issue related to a non-FQDN alternative name that was on the existing
certificate. The original certificate was created by an outside
organization and they included this on the cert that was done through
GoDaddy. I purchased a renewal already, but in trying to complete the
process, GoDaddy complained about the no longer supported name. They
advised I would need to remove the name on the existing cert and
re-download. I have done that. However, I am stuck trying to get
this cert to replace the one I have in Exchange. They are providing a
".crt" file and their instructions indicate to use the "complete
pending request" option, which I don't have. If I try to import it
straight into Exchange, it doesn't like it. I have done some
googling, but I am not clear on what the next step is. As you can
tell, I only know enough about certificates to be dangerous.
Bill Mayo