When you are configuring SSL certificates for Exchange Server 2013, after you have generated the certificate request and received the SSL certificate from the certificate authority, you then need to complete the pending certificate request.

In the Exchange Administration Center navigate to Servers -> Certificates. Choose the server you are configuring the SSL certificate for and highlight the certificate that has a status of “Pending request”.

How to Complete a Pending Certificate Request in Exchange Server 2013
Pending certificate request in Exchange 2013

With the pending request highlighted click on the link to Complete.

How to Complete a Pending Certificate Request in Exchange Server 2013
Choose to complete the pending request

Enter the UNC path to the certificate that you were issued by the certificate authority, and then click OK.

How to Complete a Pending Certificate Request in Exchange Server 2013
Provide the path to the certificate file

When the pending request is completed and you return to the main EAC window you will see the status has changed to “Valid”.

How to Complete a Pending Certificate Request in Exchange Server 2013
The SSL certificate is now valid

When the it is showing as valid you can then assign the SSL certificate to services on the Exchange 2013 server.

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. KANNAN SIVARAJ

    After complete the step. still its showing pending request.
    what i need to do??

    1. KANNAN SIVARAJ

      Exchange server 2016

    2. gina

      Same thing with me.

    3. SB

      I had to rekey my cert using the .req file that ECP generated (my provider is GoDaddy) then download the new crt file and complete with that.

  2. Sean Wright

    After reading all the above I am not sure if you addressed the first two questions. Like them I still have the pending request sitting there even though I have completed it and the certificate is valid which is sitting below the original pending request. I wonder can I just delete it?

  3. Elnur

    Dear Paul

    Thank you for you article. IT helps me a lot.
    I have a little question, maybe you can help me.
    When i compete the pending request the public certificate appears only in that server where that csr was initiated. When i select second exchange server from the menu i dont see the generated CA certificate even though i select both exchange server in certificate import wizard.

    Recently i had revoked certificate in exchange therefore i renewed that cert. after importing new public CA the changes appeared only in that exchange server where request was initiated. When i select another exchange server i dont see new CA cert.

    1. Elnur

      when i enter get-exchangecertificate on both exchange server i get different results.
      What can be the cause?

    2. Paul Cunningham

      You need to complete the pending request on the server that generated the CSR, then export the cert from that server (with private key) and import it to the others.

  4. Alfre Nawa

    Hi Paul, I mean a step by step procedure if you have the time!

  5. Alfre Nawa

    Hello Paul, Could you kindly run an article on How to RENEW A Self signed SSL Certificate in Exchange 2013. I am having a torrid time because all the articles on this subject seem to assume you are using a CA

    1. Paul Cunningham

      In the Exchange admin center, select the self-signed certificate, then click the “Renew” link. Follow the prompts and you’re done.

  6. Amit kumar

    Hi Paul,

    In my Scenario when I am trying to import E2k10 Cert to E2k13 server. It is installed successfully but showing Invalid. I am imported certificate to mmc.exe snap in to Trusted , intermediate and personal container. Restarted IIS but still, I am facing same issue. Can you please suggest how to get his done.

    An early reply would be appreciated.

  7. Nash Burns

    Hi,

    I got the certificate installed via EAC. But the status didn’t change. It still shows as pending. So I checked the certificate store and saw that no private key is assigned. So i repaired it using “certutil -repairstore my” command and that fixed the issues. I can assign/enable certificate for Exchange and everything started working fine.

    But, the EAC still shows the request as pending. Is there anything else I should do to get the certificate reflected in EAC as well?

  8. Gary Schmidt

    Is there any comment on Tim’s situation? I experience the exact same thing. Everything seems to work successfully after Complete Pending Request, butt the certificate remains in Pending status mode.

    1. Paul Cunningham

      I would look in the shell to confirm what the EAC is showing you. Sometimes the EAC gives wrong information.

    2. Tim

      I eventually got mine working by doing the following:

      1. Carefully went through all settings in the EAC. Fixed a few, apparently minor, inconsistencies. Don’t know if these were the cause of the problem or not.

      2. Deleted the existing certificate request in EAC and generated a new certificate request.

      3. Rekeyed the certificate at my CA using the new request.

      4. Imported the new certificate.

      This time it all worked fine.

  9. Tim

    I got my cert from my CA. I installed the Intermediate Certification Authority as instructed by my CA. Then I imported my crt file according to your instructions. Everything seemed to work, no error notices, except that the certificate status stayed at “Pending Request”. If I repeat the import process I get the error:

    A special Rpc error occurs on server VEXCHANGE: Cannot import certificate. A certificate with the thumbprint 773E7… already exists.

    In the Certificates Console the certificate appears in the Personal – Certificates store on the server. So it looks like the import succeeded but Exchange doesn’t seem to recognize it.

    Any thoughts about what is happening?

      1. Tim

        In the EAC.

    1. Brian Perks

      Tim

      I’m getting exactly the same conditions whilst trying to install an SSL certificate.

      I have an existing certificate and the new certificate is the existing one rekeyed with different Subject Alternate Names.

      I’m loathe to delete the existing one in case it breaks Exchange.

      Maybe I should have “Renewed” the existing one as that appears to be an option for that certificate.

      Did you find a solution?

      Thanks

      Brian

  10. Leo

    After i follw all your step my Exchnage Server 2013 ask me for “\unc-pathccertificate.PFX”, not .cer? Why?
    Can you help me?
    Thanks

    1. Paul Cunningham

      Just point it to the UNC path of the file you downloaded from the certificate authority.

  11. Larry

    Dear Paul,

    Thank you for your reply. The file was created by following your article https://www.practical365.com/create-ssl-certificate-request-exchange-2013 (Create an SSL Certificate Request for Exchange Server 2013) . I already repeated the process several times. I also looked at the file by opening it in notepad (no saving). I remember from older times something about the existence or not of a certain character at the end of such a file that could render the file unusable. Is there anything like this? What else can I do?

    Thank you.

    1. Paul Cunningham

      Right. So that creates the certificate request file. Have you then submitted that request to a CA and downloaded the certificate itself?

        1. Paul Cunningham

          No, installing certificate services on the Exchange server is very messy. Use a different server if you want to run a private CA, or just spend a bit of money and buy a certificate from a commercial CA like Digicert.

      1. Larry

        Thank you Paul,
        I have to install the private CA (as instructed by my boss). We are running a virtual environment. I have a choice of installing the CA on the AD DC virtual server or create a new virtual server just for the CA. Any advice would be appreciated. Do you know of an installation guide for the CA?
        Thank you.

        1. Paul Cunningham

          TechNet has lots of guidance on CA installation and best practices. I encourage you to research it in detail before making your design decisions.

  12. Larry

    Dear Paul,

    Thank you for all the step-by-step instructions you gave us for Exchange 2013 SSL certificate installation. They are the best.

    I followed your instructions and generated the certificate request for the Exchange 2013 Server and I followed the instructions in this article to complete the pending certificate. After I click the Complete link and enter the UNC path to the file, I get the following error “A special Rpc error occurs on server [server_name]: The source data is corrupted or not properly Base64 encoded”. and I have to cancel the task.

    Can you please suggest a solution? T.hank you

    1. Paul Cunningham

      I’m guessing something is wrong with the file you downloaded from your CA. If it is a private CA then perhaps try redoing the cert process again. If its a commercial CA then I would contact their support and ask them about it.

  13. HamB

    Great Tutorial, the status of the certificate is invalid though when I finish the pending request. any idea why?
    thanks

  14. Ian

    I am trying to issue an SSL Certificate for Exchange Server 2013 from a Private Certificate Authority. I have followed the steps yet when I import the certificate the status changes to invalid. How do I begin to troubleshoot this?

    Thank.

  15. Amir

    what if the status doesn’t change!!!
    in my scenario , after i receive the certificate from my external CA then click the complete pending request and addressed the .cer file , everything seemed OK but after the wizard completed the status is remained ” pending request”

    Any solution?

    1. josh

      I get the same problem.

Leave a Reply