If you want to use a GoDaddy UCC certificate with Exchange 2010, you’ll run into a few problems using the new certificate GUI tools.
Since GoDaddy does not provide a PFX certificate to download, you have to use the PowerShell command line.
Though you can use the new GUI to assist you in determining which SAN names you need if you want.
MY ADVICE: make your common name just your top level domain name! (ex. montopolis.com) This way you can change out your SANs easily and rekey when needed.
Go to DigiCert’s Exchange 2010 CSR Tool which is just supper handy (GoDaddy really needs to make a version of this tool).
Enter all of your information and click Generate.
Copy the PowerShell code provided into Notepad.
In front of the code you pasted put in “$Data=” (without quotes). Example:
$Data=New-ExchangeCertificate -GenerateRequest -KeySize 2048 –SubjectName…………………
On the next line enter the following (without quotes)
set-content -path “mycommonname.com.csr” -Value $data
Now paste these two lines into your Exchange Management Shell.
You should now have a mycommonname.com.csr file!
Open this file in notepad so you can copy & paste this for GoDaddy.
Go to https://certs.godaddy.com and request a new UCC certificate. When asked paste your CSR.
Wait for GoDaddy to issue your cert and download it for Exchange 2007. Copy the contents of the ZIP into the directory where your CSR is located.
From the Exchange Management Shell type in, replacing mydomain.com.csr with your filename:
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path mydomain.com.crt -Encoding byte -ReadCount 0)) | Enable-ExchangeCertificate -Services “IIS”
Don’t worry about the services enabled right now. We just want to enable one.
Now start your Exchange Management Console –> Server Configuration. You should now see your new certificate listed. Select it and click Assign Services to Certificate from the Actions menu.
Now assign the certificate to the services you want and voila!
I wasted a couple hours going the wrong way so I hope this saves someone else some time and frustration. Good luck!
Exchange 2010 & GoDaddy UCC certificate walkthrough…
Post from: Ramblings from The Montopolis Group Exchange 2010 & GoDaddy UCC certificate walkthrough…
[...] This post was mentioned on Twitter by Babul A. Mukherjee and Babul A. Mukherjee, TMG SupportDesk. TMG SupportDesk said: New Blog Post: Exchange 2010 & GoDaddy UCC certificate walkthrough http://ow.ly/16kH6E [...]
Thank you for the helpful writeup. I encountered an issue with XP clients using autodiscover. If you CN is different from SAN’s, XP clients have trouble authenticating. Vista/W7 do not have this issue.
Ashwin -
Thanks for the feedback!
Autodiscover or authentication prompts become problematic if your CN is just your TLD (top level domain) as I outlined in the post.
First make sure your GoDaddy Intermediate Certificates are installed correctly per the instructions here: http://help.godaddy.com/topic/742/article/4877
Then make sure your OutlookProvider certificate principal name is configured correctly, as shown here: http://technet.microsoft.com/en-us/library/dd439371(EXCHG.80).aspx
Then run all of the connectivity tests from here https://www.testexchangeconnectivity.com/ to make sure all is correct!
Hope that helps!
Thank you so much for this write up. I was working on deploying Exchange 2010 and i was having problems with my 3rd party certificate displaying an error of “The name of the security certificate is invalid or does not match the name of the site” when users started Outlook 2010. It turned out the problem wasn’t on my end, but when i created the certificate with godaddy, i neglected to add my internal server’s name to the SANs and this caused the certificate to be accepted on outlook web access, yet it couldn’t be verified internally.
Your walk through helped me a ton.
Bobby -
Thanks for the feedback!
Yes the internal server names has bitten me before too (and cost me $$$ ).
Exchange 2010 has a nice wizard in “Server Configuration” to help with the certificate request which helps prevent that also. I prefer that wizard now to DigiCert’s online wizard
Great instructions, though I should point out that in terms of getting Outlook Anywhere to work, using just your top level domain as the cert common name (ie montopolis.com) will cause a failure if Outlook’s RPC/HTTP settings by default point to a given host (ie msstd:mail.montopolis.com)
hyl -
You are correct. You can do as you say, or set your OutlookProvider property.
To set your OutlookProvider certificate principal name correctly see instructions here: http://technet.microsoft.com/en-us/library/dd439371(EXCHG.80).aspx
Hello.
After i change the the generated code and add the $data info as per you notes i get the following
At line:1 char:12
+ Set-Content <<<< Generated CSR CODE HERE
+ CategoryInfo : InvalidArgument: (:) [Set-Content], ParameterBindingException
+ FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SetContentCommand
Any ideas?
Thanks in advance
Too bad you still can’t import an Exchange exported (UCC) certificate (issued by GoDaddy) into the Cisco SA500 series routers, which apparently is how you’re supposed to install ucc certificates on other servers/devices. For servers it works, just not the Cisco 500 series routers! I wish Cisco would get their act together and listen to their customers’ complaints!
Andy – I couldn’t agree more!