Use OpenSSL & Windows to Convert UCC / SAN certificate from .crt / .key format to a .pfx for Exchange 2010

This post assumes you have already completed the process of getting a signed certificate issued and installed on a Linux / Apache server, and that you would like to convert that certificate to install and use on an additional Exchange 2010 server. The cheapest UCC (multiple FQDN on the same certificate) I’ve found is with GoDaddy.

Download a Windows implementation of OpenSSL from here: http://www.openssl.org/related/binaries.html. I recommend getting the full 32-bit version, and you will most likely need the ‘Visual C++ 2008 Redistributables’ as well. Install OpenSSL to C:\OpenSSL or another location that is convenient to you. Make sure you run Windows Update post install, to check for any security patches for the C++ 2008 redistributable you’ve installed.

With OpenSSL installed, you will need to get copies of the public and private keys downloaded that make up your certificate config. These will be stored somewhere on your existing web server. I have a VPS with Host Gator, which uses a pretty typical Linux distribution called Cent OS, and which can be accessed via SSH / Secure FTP. I personally connect up using a secure channel through FireFTP, a free addon for Firefox. It is essential you use secure means for all file downloads, as interception would completely compromise your certificate’s security. And don’t do this on a public / shared PC!

Having connected to your web server, browse to /etc/ssl from folder root. Here should be a folder called certs, which you need to download one or two files from. Find and download your certificates, in the form of domain.com.crt and, if applicable, your Certificate Authority’s bundle, normally in the form of domain.com.cabundle. Download these files to C:\OpenSSL\bin

Additionally within /etc/ssl you will also find a folder called private , and within here you need to locate your private key file, listed in the form of domain.com.key. Also download this to C:\OpenSSL\bin.

Fire up a Windows Command Line (cmd) and type cd C:\OpenSSL\bin

Then Type openssl to fire up the Openssl command line. At this command line, enter the following command, replacing the file entries with your own appropriate ones:

pkcs12 -export -out domain.com.pfx -inkey domain.com.key -in domain.com.crt -certfile domain.com.cabundle -name “Friendly Name”

This will take your existing certificate, private key and Cert Authority bundle, and generate a pfx file compatible with Exchange 2010 / Windows (The -name switch will define the friendly name for the certificate, as it will appear in your Exchange Management Console later). You will be prompted to enter a password twice – keep a note of this, and you’ll need it later.

The generated .pfx file will now be residing in C:\OpenSSL\bin. Move it to location where your Exchange Server will be able to access it (such as a secured network share).

From your Exchange Server, load of the Exchange Management Console, and navigate to the root of Server Configuration. Look to right hand pane for the Import Exchange Certificate … Click this link, and then locate your pfx file, enter the password you set, then complete the wizard to import the certificate. You now just need to bind the Exchange services (such as SMTP) you would like associated with this certificate.

I STRONGLY recommend you now delete all of the errant files you downloaded from your web server, or generated with OpenSSL, to complete this task, and the job is done! :)

Removing Exchange 2007 (post Exchange 2010 migration) – Offline Address Book Error

I have now done two separate migrations to Exchange 2010, and in each instance I hit a snag at the final stage – removing the now redundant / last Exchange 2007 server that remains as part of the MS Exchange setup.

Please note, before following the below, make sure you have completed all steps of migration before attempting this process. You must make sure all your mailboxes, public folders, Send Connectors, etc, etc, are migrated, and that you truly are just stuck with an empty vessel of an Exchange 2007 that refuses to uninstall. This is not a short-cut for all the proper processes to follow!

The issue I found, after completing all official removal steps, was that Exchange 2007 would not uninstall stating:

“Uninstall cannot continue. Database ‘Public Folder Database’: The public folder database “MAIL\Second Storage Group\Public Folder Database” contains the following offline address book(s): \Default Offline Address List. Before deleting the public folder database, move the offline address book(s) to a web-based distribution point.”

Needless to say, I have already moved the offline address book in every context to my new Exchange 2010 server. Replication has taken place, and I can see all is well.

So why is this happenning? I suspect (like me) you are asking the same question, and hence you are on this blog.

The answer is that the uninstaller finds an entry in Active Directory that still indicates your Exchange 2007 server is a valid and primary holder for a copy of the public folder, and so fails to remove Exchange 2007. The solution is therefore simple – we remove this errant entry in Active Directory using ADSIEdit.

Here are the steps to follow:

1) You probably don’t have ADSIEdit registered by default, so bring up a command line with admin elevation, and type:

regsvr32 adsiedit.dll

A info box should confirm registration of this mmc snap-in.

2) Bring up the run box and type mmc and press enter.

3) In the MMC console that appears,  go to File and then Add / Remove Snap In…

4) Select the ADSI Edit option from the available snap-ins list, and use the Add> button to add it to the right column. Then click OK.

5) With the ADSI Edit option now available in the MMC console, right click on it and select Connect To… from the properties list that appears.

6) In the Connection Settings properties box that appears, change the option for Select a well known Naming Context to ‘Configuration’, make sure your old Exchange 2007 server name is listed in the ‘Path’ field above this, and then click ok.

7) This should load up a tree structure, with your Exchange 2007 server shown in its internal Fully Qualified Domain Name at the top of the tree (e.g. Configuration [mail2007.mydomain.local].

8) Here’s the disclaimer – editing Active Directory incorrectly can render your domain unusable if done incorrectly, and must be done with extreme caution. I accept no liability for my advice – you have been warned!!!

9) Follow the directory tree as follows, right from the top (I have simplified this, instead of putting every AD naming context in) till you are in the folder at the bottom of this list:

Configuration [servername]->
Configuration ->
Services ->
Microsoft Exchange ->
Your Organisational Name->
Administrative Groups->
Exchange Administrative Group->
Servers->
Exchange 2007 Server Name->
InformationStore->
Second Storage Group->

In that final Second Storage Group branch, you will find a sub-entry called Public Folder Database. Right click this entry, and delete it.

10) Now re-run your uninstall of Exchange 2007, and you should find the error message is gone, and providing you have done everything else to move correctly to another Exchange server, the setup will uninstall your copy of Exchange 2007 :)