07 September 2012

Renew Exchange 2010 Certificate generates a binary file - conversion to base64 tips



When renewing an SSL certificate for Exchange 2010, the process is fairly straightforward and there are plenty of sites to give advice on how to do this. Two sites to consider would be Technet and Go Daddy and the steps are summarised as follow -

  1. In the console tree, click Server Configuration
  2. Select the server that contains the certificate, and then select the certificate you want to renew. 
  3. In the action pane, click Renew Exchange Certificate
  4.  On the Renew Exchange Certificate page, select the services you want to assign to the renewed certificate. The services that are checked are currently assigned to the certificate. 
  5.  When you click Assign, the Progress page will confirm your selections and try to renew the certificate. 
  6.  Click Yes to overwrite the existing certificate with the renewed certificate. 
  7.  The Completion page will display the status of the request in addition to the syntax of the cmdlet needed to renew the certificate. 
Of course, it's never this easy and in my experience running a certificate renewal in Exchange 2010 generates a binary file (.req) that can't be easily copied and pasted into a web interface on the CA's side. In the past one would simply use Open With --> Notepad to get the certificate information but now Exchange 2010 generates the REQ file as binary and typically the file contents look like this:

Binary format:
0é♦k0é♥S☻☺ 0[1

When they should look something like this:

Base64 format:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEazCCA1MCAQAwWzEaMBgGA1UECgwRd2VibWFpbC5wZmsuY28uemExITAfBgNV
BAsMGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEaMBgGA1UEAwwRd2VibWFpbC5w
ZmsuY28uemEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLjyTxu5Z/
<snip>
LndlYm1haWwucGZrLmNvLnphghhwZmtkYm5leGNoMDEucGZrc2EuY28uemGCGGF1
dG9kaXNjb3Zlci5wZmtzYS5jby56YYIWYXV0b2Rpc2NvdmVyLnBmay5jby56YTAM
BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSdCGqQh1ui1NbZZ2bMEZNz5Q7MujANBgkq
hkiG9w0BAQUFAAOCAQEAjyY0tEQvX3JLI0cVULQdX7lX1I9rR7R5qivVMtRoiwYS
+HVdK7odmzTuDAlCisX1qCmdUpmtIK1/ldMEF3yTgNqrvtttxofxpkqg3NGec3cr
<snip>
jhwHn51Sv3hbkUIU30swTP3T7dkhgMxj2JX2AhilqA==
-----END NEW CERTIFICATE REQUEST-----

In order to get the binary to base64 you need to convert it. There are various methods to do this and I have used both online tools and websites and the Command Prompt to achieve this, with the Command Prompt certainly being the far easier method to accomplish this (especially since it inserts the "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer automatically... making it a much more 'pure' conversion).




  1. Just upload the file, upload the .REQ file, click convert to source data button and grab the output. 
  2. Paste contents to your favourite text editor
  3. Add the header and footer (both must be on separate lines) and then you're good to go!
The header must be a line on its own at the top as so:

-----BEGIN CERTIFICATE-----

And the footer must be a line on its own at the bottom as so:

-----END CERTIFICATE-----




Using the Command Prompt (preferred method):


certutil -encode (req filename) (target filename)

e.g. 







You can then copy this file's contents and paste it to the appropriate CA's webform to complete the certificate request!


2 comments:

Bin Xc said...

in your blog there is coding structures and your blog is good...but there is need to more information to describe.

Binary Option Strategy

Brian Kozma said...

Thank you! I needed the certutil -encode part to save a ton of time, I really appreciate it!