I am running Altn-N's MDaemon e-mail server on W2K3. I want to replace the self-signed certs that I'm using for SSL for IMAP/SMTP/web-email. Following the procedure set out by George Ou in his (former) ZDNet blog, I generated a CSR using certreq.exe using the following parameters: NewRequest Subject='CN=mail.company.c om,C=GB' KeyLength=2048 MachineKeySet=TRUE Silent=TRUE Exportable=TRUE Am I crazy, or should that C=GB really be C=US - isn't GB Great Britain? - anyway, this is what I used the first time. I went to GoDaddy and bought a TurboSSL cert.
Comodo Silent Installation Command Line
I fed in the CSR text I generated and when it asked what application I needed the cert for, I picked 'Other', as the options were all web servers. I retrieved the cert, opened MMC with the Certificates snap-in (Computer/Local Machine) and imported the cert (to the Personal store). When I first viewed the cert properties, it was obvious things weren't right. I subsequently figured out that I didn't have GoDaddy in the CA Root list. I installed the root and the intermediate certs from their web site. Now Windows recognized the cert.
BUT, when viewing the cert's properties, it does NOT say 'You have a private key that corresponds to this certificate' like the self-signed certs do. And, if I try to export the cert, the export wizard jumps right over the dialog asking if I want to export the private key. AND MDaemon won't 'see' the certificate. The MDaemon docs say 'MDaemon will only display certificates that have private keys using the Personal Information Exchange format (PKCS #12). If your imported certificate does not appear in the list then you may need to import a.PEM file, which contains both a certificate key and private key.
Importing this file using the same process outlined above will convert it to the PKCS #12 format.' So to me, all this says that for some reason, the private key is not being associated with the certificate.
Can anyone tell me what I'm doing wrong, not doing, need to do, etc? I did try re-keying the cert, generating a new CSR with the following info: NewRequest Subject='CN=mail.company.c om;L=Wichi ta;S=Kansa s;C=US' EncipherOnly=FALSE KeySpec=1 KeyLength=2048 MachineKeySet=TRUE Silent=TRUE Exportable=TRUE and selecting IIS as the application, but I get the same results. I'd really appreciate any help that anyone could offer. Well, I managed to find the solution by myself, although I can't entirely say I understand why I had to do this: I found the following (seemingly unrelated) document: 'Install certificate after deleting the pending certificate request' Whatit basically tells you is how to re-associate a private key that is in thecertificate store with an installed certificate. This particulardocument is about how deleting a 'pending request' also deletes theassociation of a private key with a certificate for IIS. Byusing certutil.exe to add my cert to the store, then having certutilrepair the store using the thumbprint of the certificate, it found andassociated the private key and all was well. The certificate properties tells me I have a private key associated with the cert, my mail server sees thecert, and IMAP via SSL works like a charm.