Your Exchange certificate is about to expire, so you initiate a standard process to renew it. It's only a 5 minute job as that's how long it took last time, right?
Well, no. All is fine until you try to renew the existing certificate. The easiest way to initiate the renewal is by using the Renew option in the Exchange Admin Center.
The current certificate is the one selected in the below screenshot, and the renew option is indicated on the right hand side with the red arrow.
So let's try to renew the certificate. This is the one listed as "CN=GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US". This is our main certificate and as you can imply is issued by a third party CA, in this case Digicert.
We start the process, selecting a standard UNC location. The path etc, is all correct and valid. How do we know that? Because that's what we have documented, and we follow our approved process.
In the example below, we are not doing anything fancy. The CSR request will be saved to a file named cert.req in a folder on the local server's C:\ drive. We need to use a UNC path, and that is expected as that allows us to manage the process across multiple servers remotely.
The full path in this example:
\\exch-3\C$\Certs\Tail\2021\cert.req
All good so far. We followed our documentation and then we run into the error shown below - The friendly name is too long.
For the search engines, the full error text is:
A special Rpc error occurs on server <servername> The friendly name is too long. The maximum allowed length is 63 characters.
Hmmm. Let's take a look at this certificate and see what Exchange shows us. Up until now there were no issues, and the certificate has been working just fine.
Get-ExchangeCertificate
Get-ExchangeCertificate – Thumbprint 34B18F6F914747FE8D2FC930CEDD03D40D190DA3 | Format-List
That all looks normal. Interestingly though, there is no "Friendly Name" property displayed. Well at least as Exchange is concerned with the standard output.
You could change the command and run the below to show FriendlyName, note that the asterix was appended.
Get-ExchangeCertificate – Thumbprint 34B18F6F914747FE8D2FC930CEDD03D40D190DA3 | Format-List *
Since there is no Set-ExchangeCertificate or Update-ExchangeCertificate cmdlet, Let's switch gears and use Windows PowerShell. Open up PowerShell as an administrator, then we navigate to the certificate store.
Set-Location Cert:\LocalMachine\MY
The prompt changes to the new location Cert:\LocalMachine\MY>
Then look at the certificate properties.
Get-Item 34B18F6F914747FE8D2FC930CEDD03D40D190DA3 | Format-List
Note the "Friendly Name" property is empty. When the certificate was requested outside of Exchange, the friendly name was omitted and Exchange shows us the Issuer property in lieu.
In this case, the issuer string is too long and that is causing our issue.
We need to fix that.
The issuer value is shown in both the highlighted areas below, and is also listed on the pop-up window when you click to renew the certificate.
Setting Friendly Name Property Using PowerShell
It's a straight forward fix. We need update the FriendlyName property of the relevant certificate.
For this example the certificate thumbprint is 34B18F6F914747FE8D2FC930CEDD03D40D190DA3 so from the previously opened Windows PowerShell we can save that certificate into a variable called $Certificate.
Once we have that variable, then it is a simple matter of updating the FriendlyName property with the desired value. In our example we will call it "Tailspin Wildcard".
$Certificate = Get-Item 34B18F6F914747FE8D2FC930CEDD03D40D190DA3
$Certificate.FriendlyName = "Tailspin Wildcard"
Now that we have updated the FriendlyName property, let's verify the change.
Get-Item 34B18F6F914747FE8D2FC930CEDD03D40D190DA3 | Format-List
Excellent, the FriendlyName value has been replace as we can see in PowerShell.
The same is also true after we refresh the Exchange Admin Center. The red boxes indicate that we now refer to this certificate as "Tailspin Wildcard"
You may want to repeat these steps on additional servers where the certificate is install.
Back To Where We Started
Now that we have a much shorter Friendly Name, let's try to renew the certificate. All of the parameters are the same, all that changed was that we provided a shorter Friendly Name and refreshed the Exchange Admin Center so that it processed the change.
Clicking OK this time worked. The Certificate Signing Request was successfully created at the assigned location.
In the Exchange Admin Center we can see that there is an additional certificate which has the "Pending Request" status.
Excellent, so we are back in business and can move onto completing the process.
Cheers,
Rhoderick
Hello,
there may not be Set-ExchangeCertificate or Update-ExchangeCertificate or some other fitting cmdlets, but it can be done by using Get-ChildItem.
This is the source:
https://dscottraynsford.wordpress.com/2017/06/09/change-the-friendly-name-of-a-cert-with-powershell/
Hope to have helped,
Chris
Hello Rhoderick
Thank you for your guide it was really helpful.
best
Richard
Thank you for this tutorial.
Regard
Andreas
This worked for me. Thank you so much for it.
Many thanks for tutorial, it solved my problem!
Excelente, me resolvió el problema. Gracias.