Use OpenSSL & Windows to Convert UCC / SAN certificate from .crt / .key format to a .pfx for Exchange 2010

This post assumes you have already completed the process of getting a signed certificate issued and installed on a Linux / Apache server, and that you would like to convert that certificate to install and use on an additional Exchange 2010 server. The cheapest UCC (multiple FQDN on the same certificate) I’ve found is with GoDaddy.

Download a Windows implementation of OpenSSL from here: http://www.openssl.org/related/binaries.html. I recommend getting the full 32-bit version, and you will most likely need the ‘Visual C++ 2008 Redistributables’ as well. Install OpenSSL to C:\OpenSSL or another location that is convenient to you. Make sure you run Windows Update post install, to check for any security patches for the C++ 2008 redistributable you’ve installed.

With OpenSSL installed, you will need to get copies of the public and private keys downloaded that make up your certificate config. These will be stored somewhere on your existing web server. I have a VPS with Host Gator, which uses a pretty typical Linux distribution called Cent OS, and which can be accessed via SSH / Secure FTP. I personally connect up using a secure channel through FireFTP, a free addon for Firefox. It is essential you use secure means for all file downloads, as interception would completely compromise your certificate’s security. And don’t do this on a public / shared PC!

Having connected to your web server, browse to /etc/ssl from folder root. Here should be a folder called certs, which you need to download one or two files from. Find and download your certificates, in the form of domain.com.crt and, if applicable, your Certificate Authority’s bundle, normally in the form of domain.com.cabundle. Download these files to C:\OpenSSL\bin

Additionally within /etc/ssl you will also find a folder called private , and within here you need to locate your private key file, listed in the form of domain.com.key. Also download this to C:\OpenSSL\bin.

Fire up a Windows Command Line (cmd) and type cd C:\OpenSSL\bin

Then Type openssl to fire up the Openssl command line. At this command line, enter the following command, replacing the file entries with your own appropriate ones:

pkcs12 -export -out domain.com.pfx -inkey domain.com.key -in domain.com.crt -certfile domain.com.cabundle -name “Friendly Name”

This will take your existing certificate, private key and Cert Authority bundle, and generate a pfx file compatible with Exchange 2010 / Windows (The -name switch will define the friendly name for the certificate, as it will appear in your Exchange Management Console later). You will be prompted to enter a password twice – keep a note of this, and you’ll need it later.

The generated .pfx file will now be residing in C:\OpenSSL\bin. Move it to location where your Exchange Server will be able to access it (such as a secured network share).

From your Exchange Server, load of the Exchange Management Console, and navigate to the root of Server Configuration. Look to right hand pane for the Import Exchange Certificate … Click this link, and then locate your pfx file, enter the password you set, then complete the wizard to import the certificate. You now just need to bind the Exchange services (such as SMTP) you would like associated with this certificate.

I STRONGLY recommend you now delete all of the errant files you downloaded from your web server, or generated with OpenSSL, to complete this task, and the job is done! :)

Leave a Reply

Your email address will not be published. Required fields are marked *