Resolved-Exchange 2010 - UCC SSL Cert Renewal WTF

wrx7m

As the title indicates, I am trying to renew the UCC SSL cert for an Exchange 2010 server and after creating the .req file from within EMC, I open it with notepad and it is mostly gibberish and not the typical format that I normally see with the Begin and End New Certificate Request header and footer.

It has some human readable info about the server and domains in it but most of it looks like this:
6ËÌ14_WlÝ—ã!?PµÛF׸%zº$CbOºcôÌšœìÃÐ?ö† DŽc‘CÂt’Œ·Ýö¤_

What am I not doing correctly?

Alex Sage

@wrx7m is it encrypted?

wrx7m

@aaronstuder said in Exchange 2010 - UCC SSL Cert Renewal WTF:

@wrx7m is it encrypted?

I'm guessing it is. But why?

JaredBusch

@wrx7m said in Exchange 2010 - UCC SSL Cert Renewal WTF:

@aaronstuder said in Exchange 2010 - UCC SSL Cert Renewal WTF:

@wrx7m is it encrypted?

I'm guessing it is. But why?

Because you checked a box to encrypt it I would assume. Been a long time since I had to renew one.

wrx7m

@jaredbusch Turns out it is the way that Exchange encodes the request. I ran:

certutil -encode c:\renewal.req c:\base64renewal.req to convert it to base64.

Edit: As seen in this thread-
https://social.technet.microsoft.com/Forums/exchange/en-US/f570e4bd-7194-4cf5-92f4-c7ada2f5dc8a/exchange-2010-renew-certificates?forum=exchangesvrsecuremessaginglegacy

JaredBusch

@wrx7m said in Resolved-Exchange 2010 - UCC SSL Cert Renewal WTF:

@jaredbusch Turns out it is the way that Exchange encodes the request. I ran:

certutil -encode c:\renewal.req c:\base64renewal.req to convert it to base64.

Edit: As seen in this thread-
https://social.technet.microsoft.com/Forums/exchange/en-US/f570e4bd-7194-4cf5-92f4-c7ada2f5dc8a/exchange-2010-renew-certificates?forum=exchangesvrsecuremessaginglegacy

I have never had it do that by default.

wrx7m

@jaredbusch It might just be the renewal from within EMC, as opposed to issuing a whole new cert request.

Dashrender

@wrx7m said in Resolved-Exchange 2010 - UCC SSL Cert Renewal WTF:

@jaredbusch It might just be the renewal from within EMC, as opposed to issuing a whole new cert request.

I've done renewals with no issues either. interesting.

dbeato

@wrx7m Strange way of renewing the SSL Certificate.

JaredBusch

@dbeato said in Resolved-Exchange 2010 - UCC SSL Cert Renewal WTF:

@wrx7m Strange way of renewing the SSL Certificate.

With the ECP web GUI in 2013, you simply click renew and get the updated CSR.

wrx7m

@jaredbusch That is similar to Exchange 2010, except it is the EMC that you do that in and that in my case, it wasn't generating the CSR in base64.

topher

I had the same problem:

Microsoft includes a command-line utility with Certificate Services called certutil. This utility performs various operations on certificate files, including converting them to and from base64 format.

Note that this command is run on your certificate server, which, in your environment, may be different from your Exchange server. If so, you need to copy the binary .req file to the certificate server, or make it accessible via a shared network folder or removable storage device.

Open a command prompt on the certificate server and navigate to the folder where your binary .req file is, then type the following command:

certutil -encode yourbinaryinputfile yourasciioutputfile

Example:
certutil -encode der.exchange.example.com.req pem.exchange.example.com.req
You can then open the output file in Notepad and confirm that it is in the correct format to upload to your certifying authority.