Trouble Adding Cert to Second CAS

Status
Not open for further replies.
S

scott_k2003

Trying to add a cert to the second CAS in my array. I keep getting a security error in the exchange management console saying 'The certificate with thumbprint (security key) was found but is not valid for use with exchange server (reason: private keymissing). This is if I configure the Assign services to certificate for the cert and specify the second server. The first cas member works fine. I also tried exporting the cert from cas01 and importing it to cas02 and i get a thumbprint error again saying it cant be found or something, different error then above though.
What am I missing?
 
C

Casper Pieterse

If you didn't mark the private key as exportable during the intial certificate generation request, you will not be able to export the private key and install it on a second server.

To export the cert with the private key, go start -> run -> mmc
add the certificate snap-in
select computer account -> local computer
under personal certificates, right click on the required certificate and select export
follow the wizard.

If the "export private key" check box is greyed out, you will not be able to export the cert with the private key and will have to request a new certificate.

Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007
 
S

scott_k2003

Thanks guys. Im a little confused. This is a UC cert from Digicert. When I created the csr through the exchange management console i did not get an option to make the key exportable. Also I dont remember seeing the option to make the cert exportable when going through digicert's certificate creation process either.
Where should I be enabling this? At what step of the process?
 
M

Mike Pfeiffer

I believe the new certificate wizard marks the private key as exportable by default, I don't think it ever asks you. Go to the first server and try exporting the certificate with the private key using the instructions posted by Casper. If that works then you can install that certificate on the second server.
 
C

cmedina7777

There is a known issue in IIS 7 giving the following error: "Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created." You may also receive a message stating "ASN1 bad tag value met". If this is the same server that you generated the CSR on then, in most cases, the certificate is actually installed. Simply cancel the dialog and press "F5" to refresh the list of server certificates. If the new certificate is now in the list, you can continue with the next step. If it is not in the list, you will need to reissue your certificate using a new CSR (see our CSR creation instructions for IIS 7). After creating a new CSR, login to your DigiCert account and click the reissue button for your certificate.
 
Status
Not open for further replies.
Top