During an Exchange 2003 to 2010 transition a legacy namespace is configured for users who are connecting to Exchange 2003 mailboxes.  The Exchange Server 2010 SSL certificate includes the legacy name in its Subject Alternative Name (SAN) field, but this certificate then needs to also be installed on the Exchange 2003 server.

Export the Certificate from Exchange Server 2010

To export the certificate from Exchange Server 2010 launch the Exchange Management Shell and run the following commands.

First determine the thumbprint of the SAN certificate that is installed.

Get-ExchangeCertificate

Thumbprint                                Services   Subject
----------                                --------   -------
E8D129180C1334D50DBE17A26795BEE0A0AEA9B3  ...WS.     CN=mail.contoso.local, OU=IT Dept, O=Contoso Pty Ltd, L=Brisban...
C5C2B0F04397D1C2C2C9834C48B268EA53F835B4  IP..S.     CN=ex2010

In this example the thumbprint is “E8D129180C1334D50DBE17A26795BEE0A0AEA9B3”.

Next export the certificate to a file by running the following command.

$file = Export-ExchangeCertificate -Thumbprint E8D129180C1334D50DBE17A26795BEE0A0AEA9B3 -BinaryEncoded:$true -Password (Get-Credential).password

A popup dialog appears for you to enter a password to protect the private key. The username field is not important but requires something to be entered in it for the dialog to accept, so just enter “username” and then a strong password.

Export an Exchange Server 2010 Certificate to Exchange 2003

Next run the following command to generate the file.

Set-Content -Path "C:Adminex2010cert.pfx" -Value $file.FileData -Encoding Byte

Copy the file to the Exchange Server 2003 server.

Import the Certificate on the Exchange 2003 Server

On the Exchange 2003 server launch mmc.exe and add the Certificates snap-in to the console, choosing the “Computer account” context.

Export an Exchange Server 2010 Certificate to Exchange 2003

Choose Local Computer and then click Finish, Close, and OK to return to the console.

Export an Exchange Server 2010 Certificate to Exchange 2003

Right-click Personal and choose All Tasks –> Import.  Step through the Certificate Import Wizard choosing the certificate file that was copied from the Exchange Server 2010 server.

Export an Exchange Server 2010 Certificate to Exchange 2003

Enter the password that you used when the certificate was exported from Exchange Server 2010.

Export an Exchange Server 2010 Certificate to Exchange 2003

Place the certificate in the Personal certificate store.

Export an Exchange Server 2010 Certificate to Exchange 2003

Complete the wizard and confirm that the import was successful.

Export an Exchange Server 2010 Certificate to Exchange 2003

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.

Comments

  1. James Gustafson

    I purchased a 3 party cert from Go Daddy. The cert request was generated from my exchange server called Server1. I have a second Exchange server called Server2. I included the name for Server1 and Server2 in the cert I down loaded from Go Daddy as the cert would cover 5 names. I down loaded the cert from Go Daddy and completed the request on Server1 the exchange server that requested the certificate. Then I enabled all the services I wanted to uses with this certificate. I want to then export the certificate to a file and import the certificate into Server2 and the certificate covers the name of Server2 as well. Server2 keeps on telling me that the thump print is all ready in use. So I requested a new cert from Server2 and want to use this Go Daddy certificate to secure this server but don’t know how to go forward from here. I see the enrollment request in the Console Root For Certificates, but I don’t know to use the console to full fill the request.

    1. Paul Cunningham

      I’m confused. If you have generated a new certificate request (CSR) from Server2 it is exactly the same process you used to acquire the certificate for Server1. You submit the CSR to your CA of choice (such as GoDaddy) and they issue you the certificate.

  2. Mitch

    Your site is amazing! I want to set the new SAN cert up, but I’m not yet ready to switch to OWA to the new server. In that case, should I also include the internal FQDN of the 2003 server in the SAN cert? I’m concerned if I import the new cert on the 2003 server without it, I’ll run into name mismatch errors. Thanks!

    1. Paul Cunningham

      The cert on the 2003 server should include any names clients already use to connect to that Exchange server via SSL. For Exchange 2003 that usually just means the public namespaces for OWA etc, as there are no web services used internally that might be running on the FQDN with SSL enabled by default (like AutoDiscover in 2007/2010/2013).

      So in my experience, the existing public namespaces plus the new legacy namespace are usually enough.

  3. Carlos

    I try to export my verisign SAN certificate from the new exchange 2010 to my 2003 legacy exchange server, but when i use your procedure, after try to export receive the error: The private key couldn’t be exported as PKCS-12. It either couldn’t be accessed or isn’t exportable. How can i resolve this….. thanks in advance.

    1. Ronel

      Did you have any respond about this? I’m Having the samen problem

      1. Diego Zanette

        You guys have any updates on this issu? Having the same problem here.. I think the certificate was generated and imported with the option of exportable private key unmarked.

        Regards.

  4. luismendez

    Paul, It is possible to export a ceritfied from exchange 2007 to exchange 2010 🙂 ?

  5. Carl Lee

    So you import the cert. Do you have to go into IIS and change the cert the website uses?

  6. Ronnie Jorgensen

    After importing the Exchange 2010 cert into the front-end exchange 2003 server. does the server need a reboot?

  7. Jason Benway

    Very nice post, if I have a front end server for OWA 2003, do I need to import it on that server as well?

    thanks,jb

    1. Paul Cunningham

      Hi Jason, import it anywhere that will be accepting SSL connections for the name(s) in the cert. The 2003 FE will be accepting SSL connections to the legacy name, so yes, import the cert there.

      1. Jason Benway

        Thanks for the reply!! We created and imported the cert today. I just haven’t flipped the DNS yet.

  8. George V

    Thanks for this, can’t believe this is not explained anywhere on MS Technet.

    One additional step if you already have a certificate on the Exchange 2003 server – is to run the Cert wizard in IIS and Replace the existing cert with the new imported one.

  9. Alan Temperly

    I currently have a exchange 2003 with standard SSL with Certificate Authority. Do I need to remove this Standard SSL and create a SAN SSL on the Exchange 2010 server and them export the exchange 2010 cert. to exchange 2003 server?

    If I remove the standard SSL what happens to my OWA and RPC withun HTTPS connections?

    When I export SAN SSL to exchange 2003 for co-existence can I only add the legacy name in my internal DNS zone?

    1. Paul Cunningham

      Alan, Exchange 2010 works best with SAN certificates. Trying to use a single name SSL certificate with Exchange 2010 is frankly a nightmare.

      You only need to export the SAN certificate to the Exchange 2003 server if you plan to run in co-existence for a period of time. The point of doing this is so that the Exchange 2003 server has a valid certificate installed with the legacy namespace as one of the subject alternate names.

      OWA and RPC should continue to work as long as the SAN certificate includes whatever name your users use to connect to those services.

      The legacy name needs to be resolvable both internally and externally.

      1. Alan Temperly

        OK so when I create the SAN cert on Exchange 2010

        For OWA:
        Intranet = serverexchange2010.domain.com
        Internet = mail.domain.com

        Legacy:
        Intranet = legacy.serverexchange2003.domain.com
        Internet – legacy.mail.domain.com

        So legacy.serverexchange2003.domain.com will point to the owa link on exchange 2003 server instead of exchange 2010?

Leave a Reply