January 28, 2014

Exchange 2010 certificate request not completing

By Geekphreek

We all love Exchange, or the fact that it gets us geeks lots of money due to it being so flakey.  Maybe that’s just the whole Microsoft experience.

I went through a lovely process of having to add some additional SANs to my certificate today.  I created the new CSR (Certificate Signing Request) and sent it off, as you do.  My lovely registrar, SSL.com, only took 2 weeks to complete it (grrr) but after some chasing up, it arrived for me to install.  I fired up the EMC and right clicked on the Pending Request, told it to complete, picked the certificate that had been sent through.  Exchange ran the powershell, smiled at me and reported the world was all fluffy.

Waiting for 30 seconds or so, I noticed the CSR was still pending and it wasn’t a valid certificate yet. Hmmm.  Refresh! Nope. Refresh! Nope.  I right clicked and completed again only to be told this time that a certificate with the thumbprint already exists in the certificate store.  Yes, it does, it was very true.  By checking in Certificate manager it was in there (do a search for the thumbprint!).  Okay, so the certificate import was borked.  Now, I can’t delete the CSR else I have to go back to my registrar and do it all again.  SSL.com do not give you a PFX file, just your cert.  This leaves me with one choice, search the interwebz.

Long story short, there’s nothing wrong per se, just that the certificate store is a thick-o and needs a little help.  Looking at the logs, it complains about not having a private key for the new certificate, which is horse-shit since you have created teh CSR in the first place.

Quick fix:  Go to the .cer file you received from your registrar.  Open it and go to the details tab, then down to the “thumbprint” field.  Copy the thumbprint to the clipboard.  Open up a commandline as ADMINISTRATOR! Type the following:

certutil -repairstore My “<thumbprint>”

You will then get some splurge about how it repaired the world and you can rest easy.  Go back to Exchange EMC and refresh your certificates.  You will now find it has appeared and you can assign services to it.