spacer
A Tip From Kinetic Computer Services ...

Certificate request (.req) file is in an incorrect format when renewing Exchange 2010 certificate


Previous tip: Remote Desktop Connection Sticks on Gray Logon Window
Next tip: Cannot Locate Removable Storage Manager in Windows Server 2008 R2

Tips Main Page

Description of the Problem

You have an SSL certificate for Microsoft Exchange Server 2010 issued by a certifying authority such as GoDaddy, Network Solutions, or Verisign. The certificate is expired or expiring, and you wish to renew it. You used the Renew Exchange Certifictate... command in the Server Configuration window of the Exchange Management Console and created a certificate request file (.req). When you open the file, however, it looks incorrect. For example, the lines "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" are missing, and instead of alphanumeric text, many of the characters appear to be Chinese.

You attempted to submit the .req file to your certifying authority, but it told you that the request was in an incorrect format.

Cause

The certificate request file created by Exchange Managemnt Console with the Renew Exchange Certifictate... command is in binary DER format. Many popular certifying authorities, however, only accept files in ASCII PEM format, also called base64.

A certificate request in PEM format looks like this:

-----BEGIN NEW CERTIFICATE REQUEST----- BAsMG3RvbWFpbiBDb250cm9sIFZhbGlkYXRlZD3aMBgGA1U3AwwRZXhjaGFuZ2Uu MII3FjCCAv4CAQAwWz3aMBgGA1U3CgwRZXhjaGFuZ2UuYWJi3S5jb20xITAfBgNV fGnF3rU1VacfkTfaJZ2KntCh2PA1IA/pZcx2hFlpTEvuVk7WPtS6STfHmX977vmi YWJi3S5jb20wgg3iMA0GCSqGSIbEDQ3BAQUAA4IBDwAwgg3KAoIBAQCx+mZy4V50 pvXUA3uvwn8XkCL/3z2It3Du9tJ7ltS0QOyxut23n9/l8JXfn00Wyw+dRMJgEJWU 337Lk4t3UCcJlG4oXUKg9pAJJjMMb/Nlf61YA3T/Kw3NUh3gMOuGNd5SU1qy6Ahi C+mIuREZSyzGPomN3DXEhwhxsDoMal0p4TMYTNlf5L8qrUiyxAQgKGFPwZRcuMC1 CJgyqxq+j3j7AgMBAAGgggF0MBoGCisGAQQBgjcNAgMxDBYKNi4xLjc2MD3uMjB3 ltdWblW8DTUKEc865MwYpNhS4wWRl/u/M/1tPQkhBokFB9LWD9SujX3gnrWHR3GI QVxBQkJZLTA0JAwiTWljcm9zb2Z0LkV4Y2hhbmdlLlNlcnZpY2VIbEN0LmV4ZTBy BgkrBg33AYIEFRQxUTBPAg3FDBZBQkJZLTA0LmFyZW5hLmFiYnkuY29tDA5BUkVO IABTA3MAaABhAG4AbgBlAGwAIABDAHIA3QBwAHQAbwBnAHIAYQBwAGgAaQBjACAA BgorBg33AYIEDQICMWQwYgIBAR5aA30AaQBjAHIAbwBzAG8AZgB0ACAAUgBTA33A AwIFoDAzBgNVHR33LDAqghFl3GNoYW5nZS5hYmJ5LmNvbYIVdEdELmV4Y2hhbmdl UAByAG8AdgBpAGQAZQByAw3AMIGBBgkqhkiG9w0BCQ4xdDByMA4GA1UdDw3B/wQ3 iuKWzS5HMA0GCSqGSIbEDQ3BBQUAA4IBAQCvc+f1gluvAdQD3EyJntYOI3gyC1YZ LmFiYnkuY29tMAwGA1Ud3w3B/wQCMAAwHQYDVR0OBBY3FHATQ3/zUMLPDznV3ii1 06I7CTsOiDpKzFgw7K9ZPUSg9n3mEJmuV/VGoOuqGxG4F6OKkFVJkYrD+yoVCs7u pEQZ5TJ5PhQJ0rB4x/v06ZLMD8TunRB9vSHK+OXoNTnlqZwG1HLNZ9qnOgBMzdyq 1wB5YCtnp3NMmH757Oqh1iAFyL8jl2Tza7vwhxN4mXCO3M0hE7kyEFvfm3bANL1s uWkOMnGZipoMZJDTduj2ELUTuCTnagv8kaSlFDB2O69hZgWLBKJacpGsywG0Z9JQ ED/VEOzNrfkkxE38xVAEhBStqggua4hmO4+XbC583VMCtVaH3fcxA6Xc
-----END NEW CERTIFICATE REQUEST-----

Note that the request has beginning and ending delimiters that enclose 22 lines of mostly alphanumeric ASCII text, with a line length of 64.

Solution

Microsoft includes a command-line utility with Certificate Services called certutil. This utility performs various operations on certificate files, including converting them to and from base64 format.

Note that this command is run on your certificate server, which, in your environment, may be different from your Exchange server. If so, you need to copy the binary .req file to the certificate server, or make it accessible via a shared network folder or removable storage device.

Open a command prompt on the certificate server and navigate to the folder where your binary .req file is, then type the following command:

certutil -encode yourbinaryinputfile yourasciioutputfile

Example:
certutil -encode der.exchange.example.com.req pem.exchange.example.com.req

You can then open the output file in Notepad and confirm that it is in the correct format to upload to your certifying authority.

David Carson
Posted on April 4, 2013
© Copyright Kinetic Computer Services

Previous tip: Remote Desktop Connection Sticks on Gray Logon Window
Next tip: Cannot Locate Removable Storage Manager in Windows Server 2008 R2

Tips Main Page

This tip is a free service of Kinetic Computer Services - professional network consultants serving the Houston area since 1998.

Reproduction of this document without the author's consent is prohibited.


spacer