My domain is:mail.wookie.me.uk, autodiscover.wookie.me.uk
So I am trying to get a PFX certificate for a Exchange server.
I used the inbiult certificate request tool in exchange to create a certificate request “ExchangeCert2.csr”
I have installed a Bash terminal in Windows and it is running Ubuntu.
Ran this command to generate the certificate.
certbot --manual --csr /mnt/c/temp/ExchangeCert2.csr --preferred-challenges dns certonly
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Performing the following challenges:
dns-01 challenge for mail.wookie.me.uk
dns-01 challenge for autodiscover.wookie.me.uk
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.
Are you OK with your IP being logged?
(Y)es/(N)o: y
Please deploy a DNS TXT record under the name
_acme-challenge.mail.wookie.me.uk with the following value:
_WXQ24yJIYjYpHc_O1soFlNkGr4mMrFYz7QLLeRIlhQ
Before continuing, verify the record is deployed.
Press Enter to Continue
Please deploy a DNS TXT record under the name
_acme-challenge.autodiscover.wookie.me.uk with the following value:
4xU65p6VREYhEdevPnmy50b40myM1KnurtOqY86M0z0
Before continuing, verify the record is deployed.
Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Server issued certificate; certificate written to /home/wookie/0001_cert.pem
Cert chain written to 8
Cert chain written to 9
IMPORTANT NOTES:
-
Congratulations! Your certificate and chain have been saved at:
/home/wookie/0003_chain.pem
Your cert will expire on 2018-06-28. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew” -
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
This has generated 3 files
0000_cert.pem
0000_chain.pem
0001_chain.pem
I presume the certificate has been issued correctly?
I then tried to use OpenSSL to convert the PEM key to PFX
openssl pkcs12 -export -out /mnt/c/temp/certificate2.pfx -inkey /home/wookie/0000_cert.pem -in /home/wookie/0000_chain.pem -certfile /home/wookie/0001_chain.pem
unable to load private key
140645832394392:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY
However I cant get this to work with the 3 files created by CertBot. I just keep getting unable to load private key error.
Any help greatly appreciated.
My web exchange server is Exchange 2016 running on Windows Server 2016
I can login to a root shell on my machine yes
I’m using a control panel to manage my site, yes exchange control pannel ECP