5

Unable To Renew Exchange Certificate – Friendly Name Is Too Long

Posted on by Rhoderick Milne [MSFT]

Your Exchange certificate is about to expire, so you initiate a standard process to renew it.  It's only a 5 minute job as that's how long it took last time, right?

Well, no.  All is fine until you try to renew the existing certificate.  The easiest way to initiate the renewal is by using the Renew option in the Exchange Admin Center.

The current certificate is the one selected in the below screenshot, and the renew option is indicated on the right hand side with the red arrow.

Renew 3rd Party Certificate In Exchange Admin Center

So let's try to renew the certificate.  This is the one listed as "CN=GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US".  This is our main certificate and as you can imply is issued by a third party CA, in this case Digicert.

We start the process, selecting a standard UNC location.  The path etc, is all correct and valid.  How do we know that?  Because that's what we have documented, and we follow our approved process.

In the example below, we are not doing anything fancy.  The CSR request will be saved to a file named cert.req in a folder on the local server's C:\ drive.  We need to use a UNC path, and that is expected as that allows us to manage the process across multiple servers remotely.

The full path in this example:

\\exch-3\C$\Certs\Tail\2021\cert.req

Renew 3rd Party Certificate In Exchange Admin Center - Select Location To Save Certificate Signing Request

All good so far.  We followed our documentation and then we run into the error shown below - The friendly name is too long.

Renewal Failed - A special Rpc error occurs on server <servername> The friendly name is too long. The maximum allowed length is 63 characters

For the search engines, the full error text is:

A special Rpc error occurs on server <servername>  The friendly name is too long. The maximum allowed length is 63 characters.

Hmmm.  Let's take a look at this certificate and see what Exchange shows us.   Up until now there were no issues, and the certificate has been working just fine.

Get-ExchangeCertificate
Get-ExchangeCertificate – Thumbprint 34B18F6F914747FE8D2FC930CEDD03D40D190DA3 | Format-List

Viewing Certificate Properties in Exchange Management Shell - Note That There Is No Friendly Name Attribute

That all looks normal.  Interestingly though, there is no "Friendly Name" property displayed.  Well at least as Exchange is concerned with the standard output.
You could change the command and run the below to show FriendlyName, note that the asterix was appended.

Get-ExchangeCertificate – Thumbprint 34B18F6F914747FE8D2FC930CEDD03D40D190DA3 | Format-List *

Viewing Certificate Properties in Exchange Management Shell - Friendly Name Attribute Now Displayed

Since there is no Set-ExchangeCertificate or Update-ExchangeCertificate cmdlet, Let's switch gears and use Windows PowerShell.  Open up PowerShell as an administrator, then we navigate to the certificate store.

Set-Location Cert:\LocalMachine\MY

The prompt changes to the new location Cert:\LocalMachine\MY>

Then  look at the certificate properties.

Get-Item 34B18F6F914747FE8D2FC930CEDD03D40D190DA3 | Format-List

Viewing Certificate Properties in Windows PowerShell - Friendly Name Attribute Is Present

Note the "Friendly Name" property is empty.    When the certificate was requested outside of Exchange, the friendly name was omitted and Exchange shows us the Issuer property in lieu.

In this case, the issuer string is too long and that is causing our issue.

We need to fix that.

The issuer value is shown in both the highlighted areas below, and is also listed on the pop-up window when you click to renew the certificate.

Issuer Value Displayed In Multiple Locations - This Is Not A Pretty Name To Look At

Setting Friendly Name Property Using PowerShell

It's a straight forward fix.  We need update the FriendlyName property of the relevant certificate.

For this example the certificate thumbprint is  34B18F6F914747FE8D2FC930CEDD03D40D190DA3 so from the previously opened Windows PowerShell we can save that certificate into a variable called $Certificate.

Once we have that variable, then it is a simple matter of updating the FriendlyName property with the desired value.  In our example we will call it "Tailspin Wildcard".

$Certificate = Get-Item 34B18F6F914747FE8D2FC930CEDD03D40D190DA3
$Certificate.FriendlyName = "Tailspin Wildcard"

Updating FriendlyName Property of Certificate in Windows PowerShell

Now that we have updated the FriendlyName property, let's verify the change.

Get-Item 34B18F6F914747FE8D2FC930CEDD03D40D190DA3 | Format-List

Verifying FriendlyName Property of Certificate in Windows PowerShell

Excellent, the FriendlyName value has been replace as we can see in PowerShell.

The same is also true after we refresh the Exchange Admin Center.  The red boxes indicate that we now refer to this certificate as "Tailspin Wildcard"

New Friendly Name Is Now Visible In Exchange Admin Center

You may want to repeat these steps on additional servers where the certificate is install.

Back To Where We Started

Now that we have a much shorter Friendly Name, let's try to renew the certificate.  All of the parameters are the same, all that changed was that we provided a shorter Friendly Name and refreshed the Exchange Admin Center so that it processed the change.

Take Two - Renewing Exchange Certifican With Updated Friendly Name

Clicking OK this time worked.  The Certificate Signing Request was successfully created at the assigned location.

In the Exchange Admin Center we can see that there is an additional certificate which has the "Pending Request" status.

image

Excellent, so we are back in business and can move onto completing the process.

Cheers,

Rhoderick

Rhoderick Milne [MSFT]

More Posts

5 Comments

  2. Hello Rhoderick

    Thank you for your guide it was really helpful.

    best
    Richard

Leave a Reply

Your email address will not be published. Required fields are marked *