A Tip From Kinetic Computer Services ...
Certificate request (.req) file is in an incorrect format when renewing Exchange 2010 certificate
Description of the Problem
You have an SSL certificate for Microsoft Exchange Server 2010 issued by a certifying authority such as GoDaddy, Network Solutions, or Verisign. The certificate is expired or expiring, and you wish to renew it. You used the Renew Exchange Certifictate... command in the Server Configuration window of the Exchange Management Console and created a certificate request file (.req). When you open the file, however, it looks incorrect. For example, the lines "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" are missing, and instead of alphanumeric text, many of the characters appear to be Chinese.
You attempted to submit the .req file to your certifying authority, but it told you that the request was in an incorrect format.
The certificate request file created by Exchange Managemnt Console with the Renew Exchange Certifictate... command is in binary DER format. Many popular certifying authorities, however, only accept files in ASCII PEM format, also called base64.
A certificate request in PEM format looks like this:
Note that the request has beginning and ending delimiters that enclose 22 lines of mostly alphanumeric ASCII text, with a line length of 64.
Microsoft includes a command-line utility with Certificate Services called certutil. This utility performs various operations on certificate files, including converting them to and from base64 format.
Note that this command is run on your certificate server, which, in your environment, may be different from your Exchange server. If so, you need to copy the binary .req file to the certificate server, or make it accessible via a shared network folder or removable storage device.
Open a command prompt on the certificate server and navigate to the folder where your binary .req file is, then type the following command:
You can then open the output file in Notepad and confirm that it is in the correct format to upload to your certifying authority.
Posted on April 4, 2013
© Copyright Kinetic Computer Services
This tip is a free service of Kinetic Computer Services - professional network consultants serving the Houston area since 1998.
Reproduction of this document without the author's consent is prohibited.