Problem exporting Exchange 2010 selsigned certificate

  • Thread starter Remco Tiel
  • Start date Views 1,020
Status
Not open for further replies.
R

Remco Tiel



Due to a migration project from Groupwise to Exchange (Exchange 2010 SP1) I'm using temporarily a self signed certificate for Exchange. I want this certificate to deploy via GPO and am running into the following problem. I'm using the following code to export the certificate to a file:

$file = Export-ExchangeCertificate -Thumbprint 89F6B890FD76EFAFC1E359001AFDD51D99F8BFC8 -Password (Get-Credential).password
Set-Content -Path "c:\certificates\htcert.pfx" -Value $file.filedata -Encoding byte

But when running this command I'm getting the following error message:

The private key couldn't be exported as PKCS-12. It either couldn't be accessed or isn't exportable.
+ CategoryInfo : InvalidArgument: :)) [Export-ExchangeCertificate], InvalidOperationException
+ FullyQualifiedErrorId : 77B0CDDB,Microsoft.Exchange.Management.SystemConfigurationTasks.ExportExchangeCertificate

How can I fix this?
 
R

Raffaele Colavecchi



Hi,

if you are sure that you run this command with Admistrative Privilege elevation, your selfsigned certificate have private key not exportable.

Other try it's to export your certificate with MMC - Certificates (Local computer). If you cannot export with mmc your solution it's to recreate a certificate with the exportable private key.

You can use this comlet: New-ExchangeCertificate with option: PrivateKeyExportable

DANGER: By default, all certificate requests and certificates created by this cmdlet don't allow the private key to be exported.

At the end you must redeploy the public key with GPO in all other Domain clients and servers.

bye bye.

Raffa!
 
R

Remco Tiel



Hi,

Is it possible to renew the certificate by the following command so the private key is exportable?:

Get-ExchangeCertificate -Thumbprint 89F6B890FD76EFAFC1E359001AFDD51D99F8BFC8 | New-ExchangeCertificate -PrivateKeyExportable $true

Remco
 
S

Santhosh Sivaraman



Hi,

Is it possible to renew the certificate by the following command so the private key is exportable?:

Get-ExchangeCertificate -Thumbprint 89F6B890FD76EFAFC1E359001AFDD51D99F8BFC8 | New-ExchangeCertificate -PrivateKeyExportable $true

Remco

Dear Remco,

Yes, you can try this command.

Thanks,

Santhosh

Santhosh Sivaraman MCITP: Microsoft Exchange Server 2007/2010 | MCSE/MCSA
 
Status
Not open for further replies.
Top