When you are configuring SSL certificates for Exchange Server 2013, after you have generated the certificate request and received the SSL certificate from the certificate authority, you then need to complete the pending certificate request.
In the Exchange Administration Center navigate to Servers -> Certificates. Choose the server you are configuring the SSL certificate for and highlight the certificate that has a status of “Pending request”.
With the pending request highlighted click on the link to Complete.
Enter the UNC path to the certificate that you were issued by the certificate authority, and then click OK.
When the pending request is completed and you return to the main EAC window you will see the status has changed to “Valid”.
When the it is showing as valid you can then assign the SSL certificate to services on the Exchange 2013 server.
After complete the step. still its showing pending request.
what i need to do??
Exchange server 2016
Same thing with me.
I had to rekey my cert using the .req file that ECP generated (my provider is GoDaddy) then download the new crt file and complete with that.
After reading all the above I am not sure if you addressed the first two questions. Like them I still have the pending request sitting there even though I have completed it and the certificate is valid which is sitting below the original pending request. I wonder can I just delete it?
Dear Paul
Thank you for you article. IT helps me a lot.
I have a little question, maybe you can help me.
When i compete the pending request the public certificate appears only in that server where that csr was initiated. When i select second exchange server from the menu i dont see the generated CA certificate even though i select both exchange server in certificate import wizard.
Recently i had revoked certificate in exchange therefore i renewed that cert. after importing new public CA the changes appeared only in that exchange server where request was initiated. When i select another exchange server i dont see new CA cert.
when i enter get-exchangecertificate on both exchange server i get different results.
What can be the cause?
The Real Person!
The Real Person!
You need to complete the pending request on the server that generated the CSR, then export the cert from that server (with private key) and import it to the others.
Hi Paul, I mean a step by step procedure if you have the time!
Hello Paul, Could you kindly run an article on How to RENEW A Self signed SSL Certificate in Exchange 2013. I am having a torrid time because all the articles on this subject seem to assume you are using a CA
The Real Person!
The Real Person!
In the Exchange admin center, select the self-signed certificate, then click the “Renew” link. Follow the prompts and you’re done.
Pingback: Exchange 2013 Add public certificate and enable it - Proxima's IT Corner
Pingback: Avoiding Server Names in SSL Certificates for Exchange Server 2013
Hi Paul,
In my Scenario when I am trying to import E2k10 Cert to E2k13 server. It is installed successfully but showing Invalid. I am imported certificate to mmc.exe snap in to Trusted , intermediate and personal container. Restarted IIS but still, I am facing same issue. Can you please suggest how to get his done.
An early reply would be appreciated.
The Real Person!
The Real Person!
Don’t use mmc to import the certificate.
https://www.practical365.com/exchange-2013-ssl-certificate-export-import/
Other than that, maybe the certificate is actually invalid.
Hi,
I got the certificate installed via EAC. But the status didn’t change. It still shows as pending. So I checked the certificate store and saw that no private key is assigned. So i repaired it using “certutil -repairstore my” command and that fixed the issues. I can assign/enable certificate for Exchange and everything started working fine.
But, the EAC still shows the request as pending. Is there anything else I should do to get the certificate reflected in EAC as well?
Is there any comment on Tim’s situation? I experience the exact same thing. Everything seems to work successfully after Complete Pending Request, butt the certificate remains in Pending status mode.
The Real Person!
The Real Person!
I would look in the shell to confirm what the EAC is showing you. Sometimes the EAC gives wrong information.
I eventually got mine working by doing the following:
1. Carefully went through all settings in the EAC. Fixed a few, apparently minor, inconsistencies. Don’t know if these were the cause of the problem or not.
2. Deleted the existing certificate request in EAC and generated a new certificate request.
3. Rekeyed the certificate at my CA using the new request.
4. Imported the new certificate.
This time it all worked fine.
I got my cert from my CA. I installed the Intermediate Certification Authority as instructed by my CA. Then I imported my crt file according to your instructions. Everything seemed to work, no error notices, except that the certificate status stayed at “Pending Request”. If I repeat the import process I get the error:
A special Rpc error occurs on server VEXCHANGE: Cannot import certificate. A certificate with the thumbprint 773E7… already exists.
In the Certificates Console the certificate appears in the Personal – Certificates store on the server. So it looks like the import succeeded but Exchange doesn’t seem to recognize it.
Any thoughts about what is happening?
The Real Person!
The Real Person!
You’re seeing this in the EAC or in PowerShell?
In the EAC.
Tim
I’m getting exactly the same conditions whilst trying to install an SSL certificate.
I have an existing certificate and the new certificate is the existing one rekeyed with different Subject Alternate Names.
I’m loathe to delete the existing one in case it breaks Exchange.
Maybe I should have “Renewed” the existing one as that appears to be an option for that certificate.
Did you find a solution?
Thanks
Brian
After i follw all your step my Exchnage Server 2013 ask me for “\unc-pathccertificate.PFX”, not .cer? Why?
Can you help me?
Thanks
The Real Person!
The Real Person!
Just point it to the UNC path of the file you downloaded from the certificate authority.
Dear Paul,
Thank you for your reply. The file was created by following your article https://www.practical365.com/create-ssl-certificate-request-exchange-2013 (Create an SSL Certificate Request for Exchange Server 2013) . I already repeated the process several times. I also looked at the file by opening it in notepad (no saving). I remember from older times something about the existence or not of a certain character at the end of such a file that could render the file unusable. Is there anything like this? What else can I do?
Thank you.
The Real Person!
The Real Person!
Right. So that creates the certificate request file. Have you then submitted that request to a CA and downloaded the certificate itself?
Thank you Paul,
I missed this step. The request was generated through the ECP. My Exchange server is the only one in the domain that has the IIS installed. Should I install the Active Directory Certificate Services role on this server and then follow your instructions from here https://www.practical365.com/exchange-2013-ssl-certificate-private-certificate-authority ?
Thank you.
The Real Person!
The Real Person!
No, installing certificate services on the Exchange server is very messy. Use a different server if you want to run a private CA, or just spend a bit of money and buy a certificate from a commercial CA like Digicert.
Thank you Paul,
I have to install the private CA (as instructed by my boss). We are running a virtual environment. I have a choice of installing the CA on the AD DC virtual server or create a new virtual server just for the CA. Any advice would be appreciated. Do you know of an installation guide for the CA?
Thank you.
The Real Person!
The Real Person!
TechNet has lots of guidance on CA installation and best practices. I encourage you to research it in detail before making your design decisions.
Dear Paul,
Thank you for all the step-by-step instructions you gave us for Exchange 2013 SSL certificate installation. They are the best.
I followed your instructions and generated the certificate request for the Exchange 2013 Server and I followed the instructions in this article to complete the pending certificate. After I click the Complete link and enter the UNC path to the file, I get the following error “A special Rpc error occurs on server [server_name]: The source data is corrupted or not properly Base64 encoded”. and I have to cancel the task.
Can you please suggest a solution? T.hank you
The Real Person!
The Real Person!
I’m guessing something is wrong with the file you downloaded from your CA. If it is a private CA then perhaps try redoing the cert process again. If its a commercial CA then I would contact their support and ask them about it.
Great Tutorial, the status of the certificate is invalid though when I finish the pending request. any idea why?
thanks
The Real Person!
The Real Person!
Possibly due to the same issue that would cause this for Exchange 2010
https://www.practical365.com/exchange-server-2010-certificate-invalid-for-exchange-server-usage-error/
I am trying to issue an SSL Certificate for Exchange Server 2013 from a Private Certificate Authority. I have followed the steps yet when I import the certificate the status changes to invalid. How do I begin to troubleshoot this?
Thank.
what if the status doesn’t change!!!
in my scenario , after i receive the certificate from my external CA then click the complete pending request and addressed the .cer file , everything seemed OK but after the wizard completed the status is remained ” pending request”
Any solution?
I get the same problem.
Pingback: SSL Certificates for Exchange Server 2013
Pingback: Exchange 2013: Export/Import SSL Certificates to Multiple Servers