During an Exchange 2003 to 2010 transition a legacy namespace is configured for users who are connecting to Exchange 2003 mailboxes. The Exchange Server 2010 SSL certificate includes the legacy name in its Subject Alternative Name (SAN) field, but this certificate then needs to also be installed on the Exchange 2003 server.
Export the Certificate from Exchange Server 2010
To export the certificate from Exchange Server 2010 launch the Exchange Management Shell and run the following commands.
First determine the thumbprint of the SAN certificate that is installed.
Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- E8D129180C1334D50DBE17A26795BEE0A0AEA9B3 ...WS. CN=mail.contoso.local, OU=IT Dept, O=Contoso Pty Ltd, L=Brisban... C5C2B0F04397D1C2C2C9834C48B268EA53F835B4 IP..S. CN=ex2010
In this example the thumbprint is “E8D129180C1334D50DBE17A26795BEE0A0AEA9B3”.
Next export the certificate to a file by running the following command.
$file = Export-ExchangeCertificate -Thumbprint E8D129180C1334D50DBE17A26795BEE0A0AEA9B3 -BinaryEncoded:$true -Password (Get-Credential).password
A popup dialog appears for you to enter a password to protect the private key. The username field is not important but requires something to be entered in it for the dialog to accept, so just enter “username” and then a strong password.
Next run the following command to generate the file.
Set-Content -Path "C:\Admin\ex2010cert.pfx" -Value $file.FileData -Encoding Byte
Copy the file to the Exchange Server 2003 server.
Import the Certificate on the Exchange 2003 Server
On the Exchange 2003 server launch mmc.exe and add the Certificates snap-in to the console, choosing the “Computer account” context.
Choose Local Computer and then click Finish, Close, and OK to return to the console.
Right-click Personal and choose All Tasks –> Import. Step through the Certificate Import Wizard choosing the certificate file that was copied from the Exchange Server 2010 server.
Enter the password that you used when the certificate was exported from Exchange Server 2010.
Place the certificate in the Personal certificate store.
Complete the wizard and confirm that the import was successful.
About Paul Cunningham
I currently have a exchange 2003 with standard SSL with Certificate Authority. Do I need to remove this Standard SSL and create a SAN SSL on the Exchange 2010 server and them export the exchange 2010 cert. to exchange 2003 server?
If I remove the standard SSL what happens to my OWA and RPC withun HTTPS connections?
When I export SAN SSL to exchange 2003 for co-existence can I only add the legacy name in my internal DNS zone?
Alan, Exchange 2010 works best with SAN certificates. Trying to use a single name SSL certificate with Exchange 2010 is frankly a nightmare.
You only need to export the SAN certificate to the Exchange 2003 server if you plan to run in co-existence for a period of time. The point of doing this is so that the Exchange 2003 server has a valid certificate installed with the legacy namespace as one of the subject alternate names.
OWA and RPC should continue to work as long as the SAN certificate includes whatever name your users use to connect to those services.
The legacy name needs to be resolvable both internally and externally.
OK so when I create the SAN cert on Exchange 2010
For OWA:
Intranet = serverexchange2010.domain.com
Internet = mail.domain.com
Legacy:
Intranet = legacy.serverexchange2003.domain.com
Internet – legacy.mail.domain.com
So legacy.serverexchange2003.domain.com will point to the owa link on exchange 2003 server instead of exchange 2010?
Thanks for this, can’t believe this is not explained anywhere on MS Technet.
One additional step if you already have a certificate on the Exchange 2003 server – is to run the Cert wizard in IIS and Replace the existing cert with the new imported one.
Very nice post, if I have a front end server for OWA 2003, do I need to import it on that server as well?
thanks,jb
Hi Jason, import it anywhere that will be accepting SSL connections for the name(s) in the cert. The 2003 FE will be accepting SSL connections to the legacy name, so yes, import the cert there.
Thanks for the reply!! We created and imported the cert today. I just haven’t flipped the DNS yet.