Thanks, Dean. The crypt32.dll we had was actually newer than the one in those hotfixes. Applying http://support.microsoft.com/kb/2868626 was the fix, AFAICT.
From: [email protected] [mailto:[email protected]] On Behalf Of Dean Sent: Thursday, February 13, 2014 10:20 PM To: [email protected] Subject: Re: [Exchange] Certificate Renewal Issue http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx http://support.microsoft.com/kb/938397 You likely need 938397 installed. That fixed a non exchange related issue for us where a customer with a 2003 IIS webservice box was trying to connect to one of our https sites that was renewed with an sha256 certificate. On 2/13/2014 8:56 AM, Mayo, Bill wrote: Yes. It doesn't like them. Problem appears to be an issue with Windows 2003 and SHA256. Found some hotfixes, but I have a newer crypt32.dll than indicated, and I am still trying to figure out what I actually need. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Thursday, February 13, 2014 9:50 AM To: [email protected]<mailto:[email protected]> Subject: RE: [Exchange] Certificate Renewal Issue Did you load new intermediates on the ISA server? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Mayo, Bill Sent: Thursday, February 13, 2014 9:05 AM To: [email protected]<mailto:[email protected]> Subject: RE: [Exchange] Certificate Renewal Issue I initially did a renewal request. When I went to GoDaddy and pasted in this renewal request, it complained because of the non-FQDN. I contacted support, they told me to go into the existing certificate on GoDaddy and request removal of that name, which I did. This gave me a new certificate to download, and I was trying to figure out how to get it into Exchange to do a renewal on it instead. Based on the follow-up call with GoDaddy, I did a new request, which naturally had a pending request that I completed. That is all OK. I do, however, have a new problem. Everything seems OK on my Exchange Servers, but ISA doesn't seem to like the intermediate certs. I did the same process on all the servers to do the import, but on the ISA Server, the intermediate certificates show "The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or have been altered." The only thing that comes to mind is that the Exchange boxes are Windows 2008 and the ISA box is still 2003. I'm trying to research that now. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Wednesday, February 12, 2014 8:14 PM To: [email protected]<mailto:[email protected]> Subject: RE: [Exchange] Certificate Renewal Issue Bill - How did you create the certificate request? If you did it through Exchange, you WILL have a pending request. If you did not do it through Exchange, then we need to look elsewhere. Regards, Michael B. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Mayo, Bill Sent: Wednesday, February 12, 2014 12:54 PM To: [email protected]<mailto:[email protected]> Subject: RE: [Exchange] Certificate Renewal Issue Thanks, Steve. I have heard good things about certificatesforexchange.com, but initial decision was made by someone else and we already paid for the renewal. I did contact support. The answer is that I had to create a new request, which I was trying to avoid. Hope I didn't screw it up. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Steve Ens Sent: Wednesday, February 12, 2014 10:48 AM To: [email protected]<mailto:[email protected]> Subject: Re: [Exchange] Certificate Renewal Issue Hi Bill. Certificatesforexchange.com is the way to go. You have issues, they walk you through it. And they're a great price too. Try calling godaddy. Perhaps they'll assist? Steve On Wed, Feb 12, 2014 at 9:40 AM, Mayo, Bill <[email protected]<mailto:[email protected]>> wrote: It is time to renew our Exchange 2010 certificate and I am having an issue related to a non-FQDN alternative name that was on the existing certificate. The original certificate was created by an outside organization and they included this on the cert that was done through GoDaddy. I purchased a renewal already, but in trying to complete the process, GoDaddy complained about the no longer supported name. They advised I would need to remove the name on the existing cert and re-download. I have done that. However, I am stuck trying to get this cert to replace the one I have in Exchange. They are providing a ".crt" file and their instructions indicate to use the "complete pending request" option, which I don't have. If I try to import it straight into Exchange, it doesn't like it. I have done some googling, but I am not clear on what the next step is. As you can tell, I only know enough about certificates to be dangerous. Bill Mayo
