It is quite a long time, since I posted something on my Blog. The reason was and it still is, lack of time caused by "combining" the Work and the Study! I will try to make it up soon as possible, but this Problem is something very Interesting, I couldn't find anything about it on the Internet so I thought it could save somebody's time dealing with it!
I came across this Problem with generating a new Certificate Request on Exchange 2007 Management Shell using the New-ExchangeCertificate Method.
You will someday be in the situation where your Certificate (Self-Signed or 3rd Party-Signed) needs to be changed with a new one. Then you are probably using the same command, you used to generate the old Certificate Request, to create a new one like myself and it looks something like:
New-ExchangeCertificate -DomainName mbx.somedomain.com,
edge.somedomain.com -IncludeAcceptedDomains
-FriendlyName SomeDomain -GenerateRequest:$True
-path c:\temp\somedomain.local.req
-privatekeyExportable:$true –subjectName
“c=DE, o=Some Domain Owner, CN=SomeDomain.com”
|
But instead of a generated Request file, you get the following error message:
New-ExchangeCertificate : The file or directory
c:\temp\somedomain.local.req was not found, or
you do not have sufficient rights to write to it.
At line:1 char:24
+ New-ExchangeCertificate <<<< –DomainName
mbx.somedomain.com, edge.somedomain.com
-IncludeAcceptedDomains -FriendlyName SomeDomain
-GenerateRequest:$True
-path c:\temp\somedomain.local.req
-privatekeyExportable:$true –subjectName
"c=DE, o=Some Domain Owner, CN=SomeDomain.com"
|
As you can see, this error message is suggesting that "you do not have sufficient rights to write" on the file, that is absolutely ridiculous. If you are immediately thinking that I didn't ran the Exchange Management Shell as Administrator, I HAVE :) Even more funny is that the Method has created a "new" Request File with 0 KB size, what means that there is of course enough Permissions.
All the time I was suspecting, that there is some other Problem occurred while generating the request file, and as the Result, the Method just returned this completely inappropriate Error Message ... and I was Right! The actual Problem was "IncludeAcceptedDomains" Switch Parameter!
Purpose of the Switch Parameter "IncludeAcceptedDomains" is to add all Accepted Domains from the Organization Configuration > Hub Transport in Exchange Management Console to already defined Domain Names. So, the resulting certificate or request will contain the union of the two values.
After looking at the Accepted Domains in Hub Transport, I saw a one very strange "Domain Name" added as an External Relay, and it was containing only the Wildcard " * ".
Of Course, such "Domain Name" is not valid Domain Name in the Certificate Request and it is also not allowed to be used for Certification.
So if you are getting the same or almost same "Error Messages" using Exchange Management Shell, do not believe it! Obviously, Microsoft's Exchange Team didn't spent much time on a correct Error Handling, so the only solution is to check EVERY single Parameter that you are using, to make sure that everything is correct.
Posted
Feb 13 2009, 02:17 PM
by
Armin Kalajdzija