Create PFX certificate for MS Exchange 2016


#1

My domain is:mail.wookie.me.uk, autodiscover.wookie.me.uk

So I am trying to get a PFX certificate for a Exchange server.
I used the inbiult certificate request tool in exchange to create a certificate request “ExchangeCert2.csr”

I have installed a Bash terminal in Windows and it is running Ubuntu.

Ran this command to generate the certificate.

certbot --manual --csr /mnt/c/temp/ExchangeCert2.csr --preferred-challenges dns certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Performing the following challenges:
dns-01 challenge for mail.wookie.me.uk
dns-01 challenge for autodiscover.wookie.me.uk


NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y


Please deploy a DNS TXT record under the name
_acme-challenge.mail.wookie.me.uk with the following value:

_WXQ24yJIYjYpHc_O1soFlNkGr4mMrFYz7QLLeRIlhQ

Before continuing, verify the record is deployed.

Press Enter to Continue


Please deploy a DNS TXT record under the name
_acme-challenge.autodiscover.wookie.me.uk with the following value:

4xU65p6VREYhEdevPnmy50b40myM1KnurtOqY86M0z0

Before continuing, verify the record is deployed.

Press Enter to Continue
Waiting for verification…
Cleaning up challenges
Server issued certificate; certificate written to /home/wookie/0001_cert.pem
Cert chain written to 8
Cert chain written to 9

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /home/wookie/0003_chain.pem
    Your cert will expire on 2018-06-28. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

This has generated 3 files

0000_cert.pem
0000_chain.pem
0001_chain.pem

I presume the certificate has been issued correctly?

I then tried to use OpenSSL to convert the PEM key to PFX

openssl pkcs12 -export -out /mnt/c/temp/certificate2.pfx -inkey /home/wookie/0000_cert.pem -in /home/wookie/0000_chain.pem -certfile /home/wookie/0001_chain.pem

unable to load private key
140645832394392:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY

However I cant get this to work with the 3 files created by CertBot. I just keep getting unable to load private key error.

Any help greatly appreciated.

My web exchange server is Exchange 2016 running on Windows Server 2016

I can login to a root shell on my machine yes

I’m using a control panel to manage my site, yes exchange control pannel ECP


#2

This is not correct.

You need to pass the private key that was used to generate the CSR that you passed to Certbot initially.

If you used a tool to generate the CSR, then you need to get the private key from that tool.


#3

Great thanks all sorted now.


#4

Can you please share what you did to get the Private key from the request made in the ECP?


#5

I have figured it out.

Export key in IIS.
Convert key to pem with OPenssl
Used converted key for PFX generation with openSSL


#6

Sorry for the slow reply.
Do you have it working now?
If you need any help let me know.

Cheers Dave


#7

Yes, i got it to work.

Cheers rveupen.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.