0

I'm having a bit of problem. I've went and registered new certificate for my domain mail.company.com at StartCom. This is free one year certificate. I've created it from scratch on website and haven't used IIS to generate request. Now the problem is if i install the generated certificate I get error message when i use SSLDiag to verify the certificate (since OWA doesn't work): "#WARNING: You DON'T have a private key that corresponds to this certificate".

So how do I make it install with private key. I do have private key and password for it (it was generated for me on website) just it's simple .key file. The ssl.crt when imported to machine thru MMC Computer Certificates cna be used in IIS but the error is as above.

MadBoy
  • 3,703
  • 13
  • 61
  • 93

2 Answers2

1

You could use OpenSSL to combine the cert and key into a PFX file.

Command would be something like: openssl pkcs12 -export -out mycert.pfx -in mycert.cert -inkey mykey.key

phoebus
  • 8,370
  • 1
  • 31
  • 29
  • http://serverfault.com/questions/172908/import-ssl-cert-into-iis-when-i-have-the-text-of-the-certificate-and-private-key i have found this just when i posted. Helped me out and it works now :) – MadBoy Oct 26 '10 at 17:36
0

It might be possible, but it will be much easier and more supportable if you generate a CSR from IIS on the Exchange Server and then use that to create a new certificate.

Most Certificate Vendors will allow you to revoke a key and replace it with a new one that has the same expiry date, without incurring extra charges.

Unless you have a very good reason to do otherwise, I recommend starting over.

dunxd
  • 9,482
  • 21
  • 80
  • 117
  • Problem with that is i need to revoce last certificate i created at StartCom and that costs money. Doing it like this: http://serverfault.com/questions/172908/import-ssl-cert-into-iis-when-i-have-the-text-of-the-certificate-and-private-key solved it for me :-) – MadBoy Oct 26 '10 at 17:37
  • They charge to revoke certificates? I'll remember to avoid them! – dunxd Oct 26 '10 at 17:39
  • Well the certs are free.. they charge if you want to revoke it :) – MadBoy Oct 26 '10 at 17:40
  • I see - nothing is ever really free... – dunxd Oct 26 '10 at 17:41
  • Revocations carry a handling fee of US$ 24.90 for non-EV certificates. Before you continue, add your Credit Card or PayPal details to your StartSSL account. So... but other then that it's completly free for a year. And you can get a new one every year. Just you need to lookout how you do it otherwise you will have to do some juggling like i just had to :) – MadBoy Oct 26 '10 at 17:41
  • Hang on - if they are free, then you could just have requested another free certificate :-) Or do they not accept CSRs either? – dunxd Oct 26 '10 at 17:42
  • You can't request certificate on webpage that you already have cert for. I could go with postmail.domain.com instead of mail.domain.com but it's too much hassle. – MadBoy Oct 26 '10 at 17:43
  • Yeah - fair enough. Does seem like a cheap way of getting certs. Is their root certificate trusted in the major browsers? – dunxd Oct 26 '10 at 17:47
  • It should be yes. It was problematic some time ago but it's getting better and better. It's hard to tell if it's trusted everywhere yet. Just check StartCom in your browser :-) See on https://www.startssl.com/ – MadBoy Oct 27 '10 at 08:06