Enable-ExchangeCertificate weird error PkixKpServerAuthNotFoundInEnhanced KeyUsage
I am trying to import certificate on my demo server and am getting this weird error. I am installing everything on a single PC. Windows Server 2003 Standard SP2, Exchange 2007 SP1, installed Certificate Authority for SSL certificate too.
It basically started when I could not connect to Exchange 2007 through VPN using Outlook 2007. I found Outlook Anywhere required SSL certificate and was trying to do it on the same PC and then installed Certificate Authority, HTTP RPC, New-ExchangeCertificate cmdlet, requested and issued certnew.cer.
Installation of certificate went smoothly -
[PS] C:\>Import-ExchangeCertificate -Path C:\certnew.cer Thumbprint Services Subject ---------- -------- -------19145FFF0E20E8C170667104AC3D8920BAFD5348 ..... E=Administrator@demo.m...
And when I tried to Enable, I got following output -
[PS] C:\>Enable-ExchangeCertificate -Services "IIS, SMTP, POP, IMAP" -Thumbprint 19145FFF0E20E8C170667104AC3D8920BAFD5348
Enable-ExchangeCertificate : The certificate with thumbprint 19145FFF0E20E8C170667104AC3D8920BAFD5348 was found but is not valid for use with Exchange Server (reason: PkixKpServerAuthNotFoundInEnhancedKeyUsage).
At line:1 char:27+ Enable-ExchangeCertificate <<<< -Services "IIS, SMTP, POP, IMAP" -Thumbprint 19145FFF0E20E8C170667104AC3D8920BAFD5348
Any help would be highly appreciated.
April 7th, 2009 8:43am
Would you consider buying a cert instead of creating one? Also, refer here for Certificate use in Exchange 2007 http://technet.microsoft.com/en-us/library/bb851505.aspx Read the section "Where to Get Your Certificate" Ook
Free Windows Admin Tool Kit Click here and download it now
April 7th, 2009 10:53pm
Right now I am trying to prove my senior managment why we should move to Exchange from QMail. I have downloaded 120 day evaluation Exchange 2007 and installing everything on a single PC that I have. I have got LAN Outlook, LAN pushmail on mobile device and OWA working. I finally need to get VPN Outlook working too. My managment will agree to buy public CA if I can show them everything - looks like its a deadlock :)I am also working on eval version of ISA Server 2006 and look for features if its better than PIX Firewall.
April 8th, 2009 7:08am
Hi,
PkixKpServerAuthNotFoundInEnhancedKeyUsage this translates to : The enhanced key usage extension is present in the certificate but it does not contain the server auth OID.
First please try to check if you have value on Enhanced Key Usage from Certificate MMC.
1. Run MMC from a command prompt.
2. Click on file on the toolbar and select Add/Remove snap in
3. In the Standalone tab, click on Add-Certificates-Computer account-Local computer
4. Click Finish and Ok.
5. Expand Certificates-Personal-Certificate, Certificates-Trusted Root Certification Authorities-Certificate.
6. Double click on the certificate and then go to Details tab.
7. There please try to find the Enhanced Key Usage in the down scroll list.
If it is has no value on it, then we need to create a new certificate
Please try to New-ExchangeCertificate from Exchange management shell on CAS role with PrivateKeyExportable $True.
And then enable the certificate on the IIS Manager for Exchange 2007 server.
After that please check if the certificate has been installed under Trusted Root CA from Certificate MMC, if not then please install the certificate under Trusted Root CA.
If it has value on it, then we need to check value on OID from ADSIedit.msc. We shall deleted the OID 1.3.6.1.5.5.7.3.1 using ADSIedit.msc from "CN=Configuration, DC=Domain, Dc=com -> CN=Services, CN=Public Key Services, CN=OID",
Regards,
Xiu
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2009 12:47pm
Thanks Xiu for all the trouble you've done. Yes there was no "Enhanced Key Usage" in the "Certificates"-"Trusted Root CA"-"Certificates".In the initial "New-ExchangeCertificate", I had used option "PrivateKeyExportable:$True", this time I tried without ':' but a blank space before $True (hoping it will now work and then I can brag finding a colon bug :P )"Import-ExchangeCertificate" worked as it should but "Enable-ExchangeCertificate -Thumbprint xxxxx -Services IIS" threw same error like before (as mentioned in first post).I was little confused when you said "then enable the certificate on the IIS Manager for Exchange 2007 server" -> I hope you did not mean enabling certificate in Administrative Tools->IIS Manager. Well I tried to remove Exchange Self Signed Certificate but that is the only available certificate to choose from.The latest certificate I generated from "Certification Authority" was not there in "Trusted Root CA" in MMC window. So I imported into "Trusted Root CA"Okay now there is "Enhanced Key Usage". But it doesn't have OID "1.3.6.1.5.5.7.3.1". Instead it has following entries-Microsoft Trust List Signing (1.3.6.1.4.1.311.10.3.1)Encrypting File System (1.3.6.1.4.1.311.10.3.4)Secure Email (1.3.6.1.5.5.7.3.4)Client Authentication (1.3.6.1.5.5.7.3.2)At this point, I checked if the new certificate is listed for me to choose in IIS Manager. It was not.I did not find any mention of OID "1.3.6.1.5.5.7.3.1" in ADSIedit.msc. There were three main branches and second one was "CN=Configuration, DC=Domain, DC=Domain". I right clicked and chose 'Rename' and tried to change the text to "CN=Services, CN=Public Key Services, CN=OID" but when I pressed enter, it gave following error "The operation could not be performed because the object's parent is either uninstantiated or deleted."Getting Exchange to work is sure difficult - I wish Windows always stayed as simple as clicking "Next" :)
April 8th, 2009 9:01pm
Hi,
Do not worry. Let me check the current status with you again.
1. From Certificate MMC, we can find the certificate with Enhanced Key Usage. Is that true?
2. From Adsiedit.msc, expand Configuration -> CN=Configuration, DC=[Domain],DC=Com ->CN=Services->CN=Public Key Services ->CN=OID. In the right result pane, you cannot find any 1.3.6.1.5.5.7.3.1. Is that true? Please try to capture a screenshot and then send to me.
3. Please run get-exchangecertificate |fl and send the output to me.
So far I d like to recommend you to delete all the certificate that you have created from Certificate Authority, and then re-create a new certificate.
Besides, since the issue is some kind of a corruption or permissions issue in the registry on the Server due to which the Local Certificate Store is not working as expected. I recommend you to use 3th party certificate.
Regards,
Xiu
Free Windows Admin Tool Kit Click here and download it now
April 9th, 2009 10:19am
Hi Xiu,#1: True. There is "Enhanced Key Usage" in the certificate when checked from MMC.#2: It is silly of me that I was trying to rename the key itself. How dumb :(. I must have misread your previous post. I have captured the screenshot.#3: I have copy pasted output in excel. Is thereany other wayI can send you an attachment? (actually I do not want to disclose domain name to the public :( )I will also try to get certificate issued from another CA server which we are using for other purposes too. If nothing works, then I will buy from third party.Thanks a lot.Picture: Screenshot of OID
April 9th, 2009 3:02pm
Hi,I may also miss some information in your previous post. In your previous post,I note that under Enhanced Key Usage, we miss "Server Authentication (1.3.6.1.5.5.7.3.1)".For Exchange Certificate, we may need to have server authentication (1.3.6.1.5.5.7.3.1) under enhanced key usage. When we request a server certificate from a certification Authority, we need to select "Web Server" as Certificate Template.Please follow the steps below to new exchangecertificate, request certificate, import certificate, enable certificate.1. New exchange certificate. Please use command below to gernerate certificate request.New-ExchangeCertificate -generaterequest -subjectname "dc=com,dc=contoso,o=Contoso Corporation,cn=exchange.contoso.com" -domainname CAS01,CAS01.exchange.corp.constoso.com,exchange.contoso.com, ,autodiscover.contoso.com -PrivateKeyExportable:$true -path c:\certrequest_cas01.txt2. Request certificate from certificate authority.
a. Please type http://<server_name>/certsrv/
b. Click Request a certificate. And then click Advanced Certificate Request.
c. On the Advanced Certificate Request page, click Submit a certificate request by using a base-64 encoded
d. On the Submit a Certificate Request or Renewal Request page, please click Browse for a file to insert. Please find c:\certrequest_cas01.txt and then insert.
e. After that please select Web Server as Certificate Template.
f. On the Certificate Issued page, we can click DER encoded and then click Download certificate.
3. Import certificate. Please use the command below to import certificate.
Import-ExchangeCertificate -Path c:\certificates\import.p7b
4. Enable certificate. Please use the command below to enable certificate.
Enable-ExchangeCertificate -Thumbprint 5113ae0233a72fccb75b1d0198628675333d010e -Services "POP, IMAP"
5. After that, please try to run get-exchangecertificate |fl to check if we have successfully installed certificate on these services.
Regards,
Xiu
Free Windows Admin Tool Kit Click here and download it now
April 10th, 2009 6:08am
Aloha!! Import-ExchangeCertificate worked when I got certificate issued over one of the production CA I have in office. Thanks a ton Xiu. It doesn't end here yet. I still could not connect Outlook through RPC over HTTP. Outlook says - "There is a problem with the proxy server's security certificate. The security certificate is not from a trusted certifying authority." I guess I know what that means. I did confirm the new certificate has been installed in IIS. I will soon open another thread for these problems :D.
April 10th, 2009 7:46am
It's my pleasusre. :)Meet you inthe newthread.Regards,Xiu
Free Windows Admin Tool Kit Click here and download it now
April 10th, 2009 7:54am