by lunarg on June 21st 2016, at 15:31

Even when using Exchange SSL certificates that are signed by an internal CA, you will still occasionally have to renew them. Using EAC (https://your-exchange-server/ecp), this should be pretty straightforward, or is it?

After logging on to EAC, and navigating to "Servers" → "Certificates", select the expired certificate, then on the right pane, you can click "Renew" to generate a certificate signing request with all the proper SANs. This CSR can then be used with your internal CA to sign the request and generate a new certificate.

Unfortunately, you will most likely hit a snare: the CSR generated by the Exchange server does not contain any certificate template information, as Exchange assumes that you will use the CSR to generate a trusted certificate (i.e. a certificate signed by a trusted CA, such as GlobalSign or RapidSSL). When attempting to submit the CSR, you will get an error like:

The request contains no certificate template information 0x80094801 (-2146875391). Denied by Policy Module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute.

You can work around the issue by submitting the request from the command line using certreq. This allows you to specify which certificate template to use during the submission of the request:

certreq -submit -attrib "CertificateTemplate:WebServer" my_request.txt

Running the command will prompt you to select the CA to submit the request to, then prompt for a location to save the new certificate to. Use that file to "complete" the certificate renewal on the EAC. Finally, when the renewal was succesful, you can delete the expired certificate. If you have more than one Exchange server, repeat the process on the other servers.