Create PFX certificate for MS Exchange 2016

My domain is:mail.wookie.me.uk, autodiscover.wookie.me.uk

So I am trying to get a PFX certificate for a Exchange server.
I used the inbiult certificate request tool in exchange to create a certificate request “ExchangeCert2.csr”

I have installed a Bash terminal in Windows and it is running Ubuntu.

Ran this command to generate the certificate.

certbot --manual --csr /mnt/c/temp/ExchangeCert2.csr --preferred-challenges dns certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Performing the following challenges:
dns-01 challenge for mail.wookie.me.uk
dns-01 challenge for autodiscover.wookie.me.uk


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y


Please deploy a DNS TXT record under the name
_acme-challenge.mail.wookie.me.uk with the following value:

_WXQ24yJIYjYpHc_O1soFlNkGr4mMrFYz7QLLeRIlhQ

Before continuing, verify the record is deployed.

Press Enter to Continue


Please deploy a DNS TXT record under the name
_acme-challenge.autodiscover.wookie.me.uk with the following value:

4xU65p6VREYhEdevPnmy50b40myM1KnurtOqY86M0z0

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Server issued certificate; certificate written to /home/wookie/0001_cert.pem
Cert chain written to 8
Cert chain written to 9

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /home/wookie/0003_chain.pem
    Your cert will expire on 2018-06-28. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

This has generated 3 files

0000_cert.pem
0000_chain.pem
0001_chain.pem

I presume the certificate has been issued correctly?

I then tried to use OpenSSL to convert the PEM key to PFX

openssl pkcs12 -export -out /mnt/c/temp/certificate2.pfx -inkey /home/wookie/0000_cert.pem -in /home/wookie/0000_chain.pem -certfile /home/wookie/0001_chain.pem

unable to load private key
140645832394392:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY

However I cant get this to work with the 3 files created by CertBot. I just keep getting unable to load private key error.

Any help greatly appreciated.

My web exchange server is Exchange 2016 running on Windows Server 2016

I can login to a root shell on my machine yes

I’m using a control panel to manage my site, yes exchange control pannel ECP

This is not correct.

You need to pass the private key that was used to generate the CSR that you passed to Certbot initially.

If you used a tool to generate the CSR, then you need to get the private key from that tool.

Great thanks all sorted now.

Can you please share what you did to get the Private key from the request made in the ECP?

I have figured it out.

Export key in IIS.
Convert key to pem with OPenssl
Used converted key for PFX generation with openSSL

1 Like

Sorry for the slow reply.
Do you have it working now?
If you need any help let me know.

Cheers Dave

Yes, i got it to work.

Cheers rveupen.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.