A Tip From Kinetic Computer Services ...Certificate request (.req) file is in an incorrect format when renewing Exchange 2010 certificate
Description of the ProblemYou have an SSL certificate for Microsoft Exchange Server 2010 issued by a certifying authority such as GoDaddy, Network Solutions, or Verisign. The certificate is expired or expiring, and you wish to renew it. You used the Renew Exchange Certifictate... command in the Server Configuration window of the Exchange Management Console and created a certificate request file (.req). When you open the file, however, it looks incorrect. For example, the lines "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" are missing, and instead of alphanumeric text, many of the characters appear to be Chinese. You attempted to submit the .req file to your certifying authority, but it told you that the request was in an incorrect format. CauseThe certificate request file created by Exchange Managemnt Console with the Renew Exchange Certifictate... command is in binary DER format. Many popular certifying authorities, however, only accept files in ASCII PEM format, also called base64. A certificate request in PEM format looks like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
BAsMG3RvbWFpbiBDb250cm9sIFZhbGlkYXRlZD3aMBgGA1U3AwwRZXhjaGFuZ2Uu
MII3FjCCAv4CAQAwWz3aMBgGA1U3CgwRZXhjaGFuZ2UuYWJi3S5jb20xITAfBgNV
fGnF3rU1VacfkTfaJZ2KntCh2PA1IA/pZcx2hFlpTEvuVk7WPtS6STfHmX977vmi
YWJi3S5jb20wgg3iMA0GCSqGSIbEDQ3BAQUAA4IBDwAwgg3KAoIBAQCx+mZy4V50
pvXUA3uvwn8XkCL/3z2It3Du9tJ7ltS0QOyxut23n9/l8JXfn00Wyw+dRMJgEJWU
337Lk4t3UCcJlG4oXUKg9pAJJjMMb/Nlf61YA3T/Kw3NUh3gMOuGNd5SU1qy6Ahi
C+mIuREZSyzGPomN3DXEhwhxsDoMal0p4TMYTNlf5L8qrUiyxAQgKGFPwZRcuMC1
CJgyqxq+j3j7AgMBAAGgggF0MBoGCisGAQQBgjcNAgMxDBYKNi4xLjc2MD3uMjB3
ltdWblW8DTUKEc865MwYpNhS4wWRl/u/M/1tPQkhBokFB9LWD9SujX3gnrWHR3GI
QVxBQkJZLTA0JAwiTWljcm9zb2Z0LkV4Y2hhbmdlLlNlcnZpY2VIbEN0LmV4ZTBy
BgkrBg33AYIEFRQxUTBPAg3FDBZBQkJZLTA0LmFyZW5hLmFiYnkuY29tDA5BUkVO
IABTA3MAaABhAG4AbgBlAGwAIABDAHIA3QBwAHQAbwBnAHIAYQBwAGgAaQBjACAA
BgorBg33AYIEDQICMWQwYgIBAR5aA30AaQBjAHIAbwBzAG8AZgB0ACAAUgBTA33A
AwIFoDAzBgNVHR33LDAqghFl3GNoYW5nZS5hYmJ5LmNvbYIVdEdELmV4Y2hhbmdl
UAByAG8AdgBpAGQAZQByAw3AMIGBBgkqhkiG9w0BCQ4xdDByMA4GA1UdDw3B/wQ3
iuKWzS5HMA0GCSqGSIbEDQ3BBQUAA4IBAQCvc+f1gluvAdQD3EyJntYOI3gyC1YZ
LmFiYnkuY29tMAwGA1Ud3w3B/wQCMAAwHQYDVR0OBBY3FHATQ3/zUMLPDznV3ii1
06I7CTsOiDpKzFgw7K9ZPUSg9n3mEJmuV/VGoOuqGxG4F6OKkFVJkYrD+yoVCs7u
pEQZ5TJ5PhQJ0rB4x/v06ZLMD8TunRB9vSHK+OXoNTnlqZwG1HLNZ9qnOgBMzdyq
1wB5YCtnp3NMmH757Oqh1iAFyL8jl2Tza7vwhxN4mXCO3M0hE7kyEFvfm3bANL1s
uWkOMnGZipoMZJDTduj2ELUTuCTnagv8kaSlFDB2O69hZgWLBKJacpGsywG0Z9JQ
ED/VEOzNrfkkxE38xVAEhBStqggua4hmO4+XbC583VMCtVaH3fcxA6Xc
Note that the request has beginning and ending delimiters that enclose 22 lines of mostly alphanumeric ASCII text, with a line length of 64. SolutionMicrosoft includes a command-line utility with Certificate Services called certutil. This utility performs various operations on certificate files, including converting them to and from base64 format. Note that this command is run on your certificate server, which, in your environment, may be different from your Exchange server. If so, you need to copy the binary .req file to the certificate server, or make it accessible via a shared network folder or removable storage device. Open a command prompt on the certificate server and navigate to the folder where your binary .req file is, then type the following command:
certutil -encode yourbinaryinputfile yourasciioutputfile Example:
certutil -encode der.exchange.example.com.req pem.exchange.example.com.req
You can then open the output file in Notepad and confirm that it is in the correct format to upload to your certifying authority.
David Carson
Posted on April 4, 2013 © Copyright Kinetic Computer Services
This tip is a free service of Kinetic Computer Services - professional network consultants serving the Houston area since 1998. Reproduction of this document without the author's consent is prohibited. |
|