1

According to the MSDN article Renew an Exchange Certificate, I'm supposed to use

Get-ExchangeCertificate -Thumbprint 'AD19B141228C7CF98B5F78DCED978B7C45E15434' | New-ExchangeCertificate -GenerateRequest -PrivateKeyExportable $true

This will generate a CSR for me, which I send to our SSL certificate reseller through their SSL certificate renewal website. That site then promptly returns the following error:

[20022] CSR Country code invalid

Which isn't surprising, because the CSR doesn't contain any country code as far as I can tell.

In the past years, I've just bought a new certificate and replaced the old one. But I'd really like to understand what's going wrong with this renewal process.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
Oliver Salzburg
  • 4,635
  • 17
  • 55
  • 82

1 Answers1

2

As far as I know, this is supposed to grab your existing certificate, and make a new CSR with the same information (and I think a new key?).

Take a look at the output of Get-ExchangeCertificate and see if it contains a country code (C=XX appears in the subject DN of the certificate where XX is a 2-letter country code). If it does not, your old certificate didn't have one and you should make a new one with it. If it does, you might have found a bug and you won't be able to use this method.

Either way, it seems you should create a fresh new CSR.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
  • Indeed. The Subject doesn't contain a country code either. Which is confusing, since I bought this certificate from the same reseller. So they're issuing certificates without a country code and then require it to be present when you renew? That's a bit confusing – Oliver Salzburg Mar 17 '14 at 11:20
  • 1
    They may have changed their policy to better align with that of other CAs, or they might just be applying it inconsistently. – Falcon Momot Mar 17 '14 at 11:22