Server 2008R2 - SSL Certificate Weak Public Key Strength

Similar Messages

• Message: Your Server's SSL certificate has expired. - Can no more login

  Hi,
  Since yesterday I can no more login into beehiveOnline via OBEE. Every time I try it the extension goes offline and tells me in a window that "Your Server's SSL certificate has expired.". If I try to relogin it takes some seconds but the window and message comes up again and again.
  It was working perfectly during the previous weeks, no issues at all. What do I have to do to get it solved?
  Thanks
  Volker

  Hello,
  I've set up OBEE for BeehiveOnLine usage today, without any issue (Monday 28 of June)
  May you retry please?
  Yesterday - Sunday - the system might be under maintenance.
  Thanks
  Fred

• The Server's SSL certificate has expired

  Hi,
  Today morning I accessed my mails with out any problems. After some time suddenly my outlook was disconnected and getting the message "The Server's SSL certificate has expired".Can any one help me out of this?
  Thanks,
  Prasad K

  Check if you have accidentally set your system date not to current.
  Edited by: user10788046 on Oct 22, 2010 8:16 PM

• SSL Certificate - No public Biztalk

  Hello !!
  I've been working with Biztalk since 2006 version, always doing some AS2, encryption and so on. It's the first time a customer requires to use a GoDaddy, Symantec, etc. SSL (in the past always self-signed ssl).
  My question is simple:  This biztalk server is not public, won't use a URL, just plain IP.  The guys at GoDaddy or Symantec does not understand what I'm asking for, they just keep asking what's the URL of the website.
  Can you give me any directions on how to work with this scenario? How do I request the SSL certificates for encryption and signing?
  Thank you!
  Victor

  You will have a problem with that which you might not be able to overcome.
  The names on the certificate used for TSL/SSL must match the host names used in the url either directly or by wildcard.
  However, no public vendor will sell you a total wildcard certificate and probably no public vendor will sell you an IP address based certificate because a particular address, 10.4.5.6 for example, can be used many, many times on different networks. 
  If you actually own that public address space, maybe, but it's unlikely you do.
  You have two realistic options:
  Assign the BizTalk endpoint a name in a DNS namespace you own and buy a certificate for that.  You don't actually have to register the host name, the clients can use a hosts file or equivalent.
  Continue to use self-issued certificates.
  One question, of the BizTalk Server is not public, how is the customer accessing it?  I don't need to know how, but it's an unusual request to require a public cert for an internal service.

• Jabber Guest server Local SSL certificate

  Hi , trying to download a local ssl certificate from jabberguest server and issued a 'generate a new self signed certificate' request. system shows 'a certificate signing request is being created, please wait' . unfortunetly its been like that for 2 days now - even after rebooting the server it still reports the same. (version is 10.5.3.115)....any advice appreciated.....TIA , Jeff

  Jeff,
  I had a look at my Jabber Guest server this morning and oddly enough I found the same thing as you did. I'm not sure when the server got into this state however I can say it has been fully functional. Anyway, there are two options that you generally should have.
  1) "Generate a New Self-Signed Certificate"
  2) "Create a New Certificate Signing Request"
  To restore these options I had to run the certificate scripts through the root of the system.
  1) cd /opt/cisco/webcommon/scripts/
  2) ./createcsr.sh   (This is for the Cert Signing Request)
  3) ./selfsigned.sh  (This is for the Self Sign)
  After running each script you'll need to run through the general certificate questions.
  I hope this helps.
  -P

• Server 3 / SSL Certificate / Open Directory - Problem!

  We've updated from Server 2 to Server 3 / OS X 10.9.
  We have an SSL certificate for server from Comodo.
  Under Server 2, all worked just fine, with the SSL certificate being used to secure all services (configure via Server app).
  Under Server 3, all works just fine, but Open Directory will not accept certificate - so Certificates / Settings in Server 3 app shows "Custom Configuration" for Settings - and on inspecting this it is because Open Directory set to be not secured but everything else is using SSL.
  I've tried setting the Open Directory to use the SSL, but when ever I do it simply bounces back to being unsecured.
  Does this matter?  Presumably it should be possible (as the standard setting appears to try and set Open Directory to use the SSL certificate), but not sure whether trying to fix is simply a fools errand.
  Anyone got any clues as to whether to fix or not, and if to fix, how?
  Thanks in advance.

  Have you check to see that the certificate is indeed "Trusted" by your server?
  Above, you stated that they're in the etc/certificates folder, but that doesn't mean that the server likes them.  You can create a "Self Signed" Certificate and still have certificates in there.  That doesn't mean that anyone else on the planet has to trust them.
  Open Keychain Access in your utilities folder.  Depending on how you have it configured, you may have to look around to find the certificate in question.  It may be under login, or System. 
  When you select your Certificate, if it's there, does it show as trusted?
  Another thing you can check...  Often times Certificate authories, use Intermdeiate certificates.  Since anyone can sell a certificate, in order to have it trusted, you need to have it signed by someone else.  A good example is Godaddy.  They sell both SSL and Code signing certificates of all flavours.  In order to get them to be trusted, the "Intermediate Certificate" needs to also be installed in the keychain.  My Godaddy cert looks to be trusted by Verisign via an intermediate.
  Have a look here...  https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid =1182
  Not sure if it's directly relevant, but there it is.
  The point is, I think you need to verify that your certificate is trusted by your server.  OD won't use an untrusted certificate. 
  --an afterthought--  Anything in the logs?
  Open up your server window where you try to select the certificate for OD.  Also, in another window open up the terminal.  In terminal, type:
  tail -f /var/log/system.log
  In the server window try to select the certificate and click done.  See what the output in terminal says.

• ArchiveLink security: sending public key certificate by SCMS_HTTP_PUT_CERT

  Hello!
  I have a question which I asked on ESA and Security forums and didn't get answer.
  I am trying to do a test program to check ArchiveLink security features. Namely, I am calling the function SCMS_HTTP_PUT_CERT which is supposed to send a public key certificate via HTTP. However, when I catch this call and want to import the certificate by using the function SSFC_PUT_CERTIFICATE, I get error message <i>SSF kernel error: invalid parameter</i>.
  Does anyone have experience with this?
  For more detailed description of my attempt, please see ArchiveLink security: sending public key certificate.
  Thanks and regards,
  Igor

  Hi
  SCMS_HTTP_PUT_CERT is used to send sap public key to Content server application. The  content server application makes use of this key to verify the incoming request ie the Content Server uses the public key to check URIs and signatures.
  SAP uses the Public/Private key security concept while communicating with Content server. Basically when SAP communicates with Content server it will be sending GET, PUT, POST requests. The URL from SAP will have field called secKey which contains the security key. secKey ensures that a URL cannot be changed after it has been generated by the SAP system. The private key is used by SAP to generate the secKey.
  The content server application will use the public key provided via SCMS_HTTP_PUT_CERT to check the URL and will be able to detect if the URL has been tampered.
  Refer SAP Content Server HTTP 4.5 Interface documentation  section Security for more details.
  http://help.sap.com/saphelp_nw04/helpdata/en/9b/e8c186eaf811d195580000e82deb58/frameset.htm
  Hope this helps
  Cheers,
  Samanjay
  Message was edited by:
          Samanjay Shenoy

• How to install SSL certificate on Mac OS X 10.8.3 Server 2.2

  Hi,
  In eairler versions of !0.8 / OS X Server 2.2 your where able to install a purchased SSl certificate in the
  Hardware >> Profile Manager Server >> Settings >> SSL Certificate Edit
  I've just done a clean install of 10.8.3 and OS X Server 2.2 but there is no  "SSL Certificate Edit" available.
  How do I install my purchased certificate?
  Thanks,
  John

  sorry for hijacking but I have a related question to do with certificates.
  I had to set up virtual domains manually instead of through the GUI and the server ssl site is now locked to a certificate that is about to expire and no longer needed, I can't change the certificate in the web gui because it was created manually, I can't delete the certificate because it is assigned to the server ssl website and I can't manually edit the conf files to point to a different certificate becasue it breaks it, any ideas?

• How Sign Message with Certificate (public key)?

  Hi, I need to to send Sign xml message by Certificate file (public key) and read sign message
  so how can i do it ??
  and i should have 2 public key ?? or what ??
  please help :)
  Thanks

  ejp has answered your question, but it seems you did not understand. This forum is not a good place to learn about public key cryptography and message encryption. You should already understand these fundamentals before asking questions here. This forum is about how to implement these crypto operations in the Java programming language. If you are cheap or poor, you can try googling for the more information; wikipedia is good starting point also. If you can afford it, I recommend you buy Practical Cryptography_ by Schneier.

• SSL Certificate & Local Access

  Hi everyone,
  I'm currently in the process of re-keying exchange with a new certificate.
  Currently, outlook clients have the following configuration:
  Mail Server: server01.domain.local
  HTTP Proxy: exchange.domain.com.au
  Therefore the current SSL is keyed for:
  Primary: exchange.domain.com.au
  Alternate: server01.internal.local, autodiscover.domain.com.au, autodiscover.internal.local
  With the old certificate, this is fine - however from November the 1st 2015 SSL authorities are allowing only external fully qualified domain names.
  Therefore the SSL can ONLY be key for:
  Primary: exchange.domain.com.au
  Alternate: autodiscover.domain.com.au
  This means that when connecting to exchange server01.domain.local I receive an error stating the the name on the certificate does not match the name of the host (because it's connecting locally).
  Is there any way of adjusting configuration in Exchange for users to connect to the external exchange.domain.com.au even though they are local? I would obviously need to update autodiscover etc also
  Cheers,
  Anthony

  There are two possible solutions using SSL certificate from public and pricate 
  1. Use ssl cert from public CA for public domain name (exchange.domain.com.au) on Reverse proxy servers like ISA or TMG for external access. and use Internal CA for internal names on exchnage server (server01.internal.loca)
  or
  2.You can create another site using separate NIC card on exchange server. Use Internal CA certificate on Default site and public CA certificate on New site.

• SSL Certificate Problem

  I finally took the plunge and brought our chat server back up to Leopard. I'm in an SSL mess right now.
  I got a new cert for the server from Thawte (got the ApacheSSL cert, which is what I had successfully used on Tiger Server.)
  I started the process by creating a new CSR in Server Admin (advanced server), sent the CSR to thawte, they signed and returned the cert. Went back to server admin, imported it, and it looks good!
  Well, I selected the cert in the iChat service and clients cannot login. They can login with the Default cert (but get the warning message).
  ...and we see the following in the iChat service log:
  Jan 7 07:27:48 chat jabberd/c2s[6453]: failed to load local SSL pemfile, SSL will not be available to clients
  So, I looked in /etc/certificates and it looks good:
  chat:certificates herb$ ls -la
  total 72
  drwxr-xr-x 12 root wheel 408 Jan 7 07:24 .
  drwxr-xr-x 124 root wheel 4216 Jan 7 07:25 ..
  -rw-r--r--@ 1 root wheel 0 Jan 5 13:35 .defaultCertificateCreated
  -rw-r--r-- 1 root wheel 660 Jan 5 13:35 Default.crt
  -rw-r----- 1 root certusers 1551 Jan 5 13:35 Default.crtkey
  -rw-r----- 1 root wheel 534 Jan 5 13:35 Default.csr
  -rw-r----- 1 root certusers 891 Jan 5 13:35 Default.key
  -rw-r--r-- 1 root wheel 1155 Jan 7 07:24 chat.northampton.edu.chcrt
  -rw-r--r-- 1 root wheel 1306 Jan 7 07:24 chat.northampton.edu.crt
  -rw-r----- 1 root certusers 2269 Jan 7 07:24 chat.northampton.edu.crtkey
  -rw-r----- 1 root wheel 720 Jan 5 14:09 chat.northampton.edu.csr
  -rw-r----- 1 root certusers 963 Jan 7 07:24 chat.northampton.edu.key
  I am really at a loss, any ideas?
  I notice that in the jabberd c2s.conf configuration file:
  <!-- File containing a SSL certificate and private key to use when
  setting up an encrypted channel with the router. If this is
  commented out, or the file can't be read, no attempt will be
  made to establish an encrypted channel with the router. -->
  <pemfile>/etc/certificates/Default.crtkey</pemfile>
  Now that is odd since I chose the chat.northampton.edu cert!
  Later in the file we do see references to the chat.northampton.edu cert so I left that entry alone. Later I read that first entry is okay the way it is.
  Any help appreciated!

  Here's how to get iChat Server working with a real SSL cert. Also, in my case users come from Open Directory (on a Novell eDirectory directory). So this solution kills 2 birds with one stone.
  1. Set up your server, in my case a new install. Install updates NOW, not later!!!!!!!
  2. In Server Admin, clicked Certificates, then the + sign to create a new cert.
  3. Fill in appropriate info, such as Common Name (DNS name of your server!), Organizational Unit, etc.
  4. Enter a 24 character passphrase. (Good security please!)
  5. Click Save, then second middle button to create a CSR.
  6. Drag the CSR icon into the place for the CSR on the thawte(Verisign, whatever) request page. Or email the CSR to them.
  7. Verify the CSR on the thawte(Verisign, whatever you're using) site. The information should match what you entered for Common Name, etc.
  8. Submit it to them for signing; get the reply from them.
  9. Go back into server admin | Certificates, select the my.domain.com cert, click the button and select "import signed..."
  10. Paste the response from thawte(Verisign, whatever) in there, then click save.
  You should now see that the cert is trusted and the certifying authority (thawte, etc) listed, where it used to say Self-signed.
  Fire up web services and see if it your new cert works for web. If it does, continue on.
  Your new cert may or may not work for Jabber. If it does, well you're done. If it doesn't...
  1. Ensure you've selected the cert for iChat in Server admin. (I know, it doesn't work yet.)
  2. Either Remote Desktop to your server and open Terminal or ssh in and get a prompt. BECOME ROOT!! sudo su -
  3. Take a look in /etc/certificates.
  4. You should see a my.domain.com.key file and a my.domain.com.crt file.
  Now using vi, pico, or whatever look at the .key file. Do you see DES encryption lines in there? If you do, your private key is encrypted with your passphrase.
  5. Make a copy of my.domain.com.key (Let's call it my.domain.com.jb)
  5a. Make a copy of my.domain.com.crt (Let's call it my.domain.com.crt.jb
  6. Decrypt the private key: (Remember you're root!) openssl rsa -in my.domain.com.jb -out my.domain.com.jb
  It will ask you for your passphrase.
  7. Create a new file containing your public key (my.domain.com.crt), and combine with the decrypted private key (my.domain.com.jb):
  cat my.domain.com.jb >> my.domain.com.crt.jb
  8. Rename my.domain.com.crt.jb to my.domain.com.crtkey.jb
  9. Change ownership of my.domain.com.crtkey.jb to root:jabber ( chown root:jabber my.domain.com.crtkey)
  Not done yet....
  10. Change perms / ownership of my.domain.com.jb to match your original .key file.
  EDIT /etc/jabberd/c2s.xml
  1. Amend the settings in the local section (under the ssl-port 5223 line) to:
  /etc/certificates/my.domain.com.crtkey.jb
  1a. I also commented out the cachain line in that area. You may not need to but I did.
  2. No matter how tempting, do NOT touch anything else at this time. Trust me.
  Leave the 0.0.0.0 IP's alone; where you see your Default cert, leave it be!
  Done editing.
  3. Restart ichat service (don't touch the settings in the Admin application)
  On the iChat client set connect using SSL, port 5223.
  All should work.
  To get OD logins to work, comment out cram-md5 authentication, like this:
  Hopefully the code comes out in the pose there. If not, it's the fix from the Apple:
  http://docs.info.apple.com/article.html?artnum=306749 (option 2)
  Thanks to MacTroll from AFP548, and Tim Harris at Apple Discussions for their collective pieces in solving this!!

• Unable to retrieve public key and signature.

  Hi,
  I'am trying to send public key and signature from one client to another via server.
  Both pub_key and signature are encrypted into base64. But i cant retrieve them correctly in server side.
  I'am using ECDSA to sign message key_length 224bit. Sending and retrieving data via sockets.
  SEND DATA FUNCTION Client.java
  private static PrintWriter      output_stream = null;
  private static Scanner      input_stream           = null;
  private static void send_message(String message)
       if(user_name != null
            && message_text_area.getText().equals(SERVER_CLOSED) == false
            && message_text_area.getText().equals(SERVER_CONNECTED) == false
            && message_text_area.getText().equals(MAX_USERS_ONLINE) == false
            && message_text_area.getText().equals(CONNECTION_CLOSED) == false
            && message_text_area.getText().equals(GET_USER) == false
            && message_text_area.getText().equals(REMOVE_USER) == false
            && message_text_area.getText().equals(USER_EXISTS) == false
            && message_text_area.getText().equals(USER_NICK) == false){   
           String signature = new BASE64Encoder().encode(ecdsa_parameters.sign_message(SESSION_KEY_PAIR.getPrivate(), message_text_area.getText().trim()));
           String public_key = new BASE64Encoder().encode(SESSION_KEY_PAIR.getPublic().getEncoded());
           if (signature != null && SESSION_KEY_PAIR != null){
            synchronized(output_stream)
                output_stream.println(USER_NICK);
                output_stream.println(user_name);
                output_stream.println(user_nick);
                output_stream.println(message_text_area.getText().trim());
                      //PUblic key and signature in base64
                      output_stream.println(public_key);     
                output_stream.println(signature);
                  //length and data of them
            System.out.println(public_key.length());
            System.out.println(signature.length());          
            System.out.println(public_key);
            System.out.println(signature);
            append_message(user_nick+": "+message_text_area.getText().trim());
            message_text_area.setText(null);
           }else{
            append_message("E_C_002: Unable to generate keys or signature.");
       }else{
           append_message("User is not selected or incorrect message");
      }HANDLER.JAVA (SERVER SIDE RETRIEVE)
  private Scanner           input_data           = null;
  private PrintStream      output_data           = null;
  if(recieved_data.equals(USER_NICK)){
                 String user_name = input_data.nextLine();
                 String user_nick = input_data.nextLine();
                 String message = input_data.nextLine();
                 String public_key = "";
                 for (int i=0; i<5; i++){
                     if(i == 0){
                      public_key = public_key+""+input_data.next();
                     }else{
                      public_key = public_key+"\n"+input_data.next();
                 String signature = "";
                 for (int i=0; i<2; i++){
                     if(i == 0){
                      signature = signature+""+input_data.next();
                     }else{
                      signature = signature+"\n"+input_data.next();
                          //output length and data of key and signature
                 System.out.println(public_key.length());
                 System.out.println(signature.length());
                 System.out.println(public_key);
                 System.out.println(signature);
                 Server.users_messages.addElement(user_name+""+SEPARATOR+""+user_nick+""+SEPARATOR+""+message+""+SEPARATOR+""+public_key+""+SEPARATOR+""+signature);               
            }It seems that length of key and signature in server side are different form client.
  Maybe I'am missing something that correspond sending data in base64????
  All project is here http://fmf.vtu.lt/~knugmanov/Elliptic%20curve%20cryptography%20instant%20messenger.rar
  (import into eclypse).
  For ECC I use iaik classes.
  Thanks in adv.
  Kiril

  here is a code from
  http://www.exampledepot.com/egs/java.security/GetKeyFromKs.html
  This example retrieves from a keystore, the private and public key associated with an alias.
  private and public key are having the same alias ?
  i know a alias for my key but i believe thats for private key not for public key ......is it true that both private and public key have the same alias ?
  and KeyPair is an interface and so its difficult to get a key out of it
  public KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password) {
          try {
              // Get private key
              Key key = keystore.getKey(alias, password);
              if (key instanceof PrivateKey) {
                  // Get certificate of public key
                  java.security.cert.Certificate cert = keystore.getCertificate(alias);
                  // Get public key
                  PublicKey publicKey = cert.getPublicKey();
                  // Return a key pair
                  return new KeyPair(publicKey, (PrivateKey)key);
          } catch (UnrecoverableKeyException e) {
          } catch (NoSuchAlgorithmException e) {
          } catch (KeyStoreException e) {
          return null;
      }Message was edited by:
  Unknown_Citizen
  Message was edited by:
  Unknown_Citizen
  Message was edited by:
  Unknown_Citizen

• Get Modulus and exp from public key

  Hi friends,
  I'm extracting the public key from the X.509 certificate .Is there
  any way i can extract modulus and exponent from the public
  key. i'm using bouncy castle api . Any suggestions are greatly appreciated.
  //Generate Certificate
  //Extract public key
  PublicKey merchKey = cert.getPublicKey();
  //Pls suggest the way to extract mod and exp from public key
  Regards
  Jag

  PublicKey merchKey = cert.getPublicKey();
  RSAPublicKey rsaPub = (RSAPublicKey) merchKey;
  BigInteger modulus = rsaPub.getModulus();
  BigInteger exponent = rsaPub.getPublicExponent();

• SSL certificates not visible while RFC destination creation

  Hi all,
  I am setting up an RFC destination to connect to external server and which uses SSL certificates for its authorization.
  So i have imported the Client certificates into STRUST.
  While setting up an RFC connection of type G, in the security tab when we select the SSL security certificate radio button, will we be able to see the certificates(in the combo box) that we have imported in STRUST.
  Currently, though i have imported the Client certificates into STRUST, i am not able to see them in the SS security certificates combo box.
  Kindly help me out.
  Cheers,
  Siva Maranani.

  Well, first of all we should avoid confusion by using the term "<i>ABAP destination</i>" rather than "<i>RFC destination</i>" (although ABAP transaction SM59 still has this old title).
  When referring to an "ABAP destination of type G" we are talking of an outbound http connection to a non-ABAP server (e.g. an SAP J2EE server or any other http server).
  I'm not sure whether you are aware that in this context "<i>SSL client certificate</i>" refers to the ABAP <u>system</u> (which is the SSL client in this scenario). This is different from scenarios where "X.509 client certificate" refers to a certificate which is assigned to an individual <u>user</u> (using a web browser). <b>In the given scenarios, where two systems are the communication peers, SSL cannot be used for user authentication.</b> That fact is often misunderstood.
  By default you'll find 3 different SSL certificates (actually: PSEs) in an ABAP system (which can be used only after enabling SSL, of course - see note 510007 for instructions):
    - SSL Server
    - SSL Client (anonymous)
    - SSL Client (Default)
  Well, the "<i>SSL Client (anonymous)</i>" is actually not really a "client certificate" but used for outgoing http requests where you do not intend to send your own SSL client certificate. Since you cannot use the server's SSL client certificates for user authentication it might make sense to use "<i>SSL Client (anonymous)</i>" is most cases.
  Please notice: you have to add the server's SSL certificate (respectively the root CA certificate and potentially intermediate CA certificates) to the certificate list of the "<i>SSL Client (anonymous)</i>" PSE (using STRUST). By default, that list is empty - consequently no SSL server certificate is trusted (in contrast to a web browser which is already shipped with a long list of "trusted CAs").
  Only when the (remote) server demands SSL client certificates it might make sense to use either "<i>SSL Client (Default)</i>" or to define a new SSL client certificate (for the ABAP system that submits the https request).
  Please notice:
  SSL client certificates need to be issued by an Certification Authority (CA) in order to be accepted by the SSL server.
  In addition to importing the SSL server's certificate to the certificate list of the SSL client PSE (see above: <i>anonymous SSL client</i>) you also need to export the root CA certificate (and potentially all intermediate CA certificates) of the SSL client certificate and import it to the (remote) SSL server's keystore (kindly refer to the manuals of that server for instructions).
  Kind regards, Wolfgang
  PS: I assume that you have imported some certificates to the certificate list of a SSL client PSE. In SM59 only those SSL client PSEs are listed: "<i>SSL Client (anonymous)</i>", "<i>SSL Client (Default)</i>" and all SSL client PSEs that you might have defined in addition (using transaction STRUST => <i>Environment</i> => <i>SSL Client Identities</i>).

• SChannel error- The SSL server credential's certificate does not have a private key information property attached to it.

  We have a public SSL certificate that allows for Active Directory sync with LDAPS on port 636 with our email smart host. This was working fine and suddenly stopped working and we are now getting SChannel errors Event ID 36869. There were no changes made
  to the Exchange server, the firewall or the DC which holds the certificate. I have run a new certreq from the DC and then re-keyed the public SSL certificate and re-installed 3 times but the error does not go away and AD Sync with the vendor
  fails. When I run LDP.exe the connection on port 636 fails with "cannot open connection" and the system event log throws the S Channel event 36869 "The SSL server credential's certificate does
  not have a private key information property attached to it"  There is no software firewall set on the DC. When I run Certutil -VerifyStore MY  it shows the current certificates as well as the revoked and expired certificates
  correctly. Certificate 0 is the public cert and is listed with Server and Client authentication, the FQDN of the server is correct and "Certificate is Valid" is listed. The private cert is Certificate 1 and has server and client authentication, the
  FQDN is correct, Private key is not exportable and it ends with Certificate is Valid. I do not see a point in re-keying the cert again until I figure out what the root of the problem is. I have read in some forums that the private cert should not be set to
  expire after the public cert but that does not make a lot of sense when in a situation like this the private cert is of course newer than the public. In fact it is too early to renew the public cert. I have been troubleshooting this for a few days and at this
  point I would have to drop my AD sync with the vendor to LDAP in order to add new users. I do not want to do that for obvious reasons and I do not want to have our spam filtering and email archive service running without Directory sync. Any help would be greatly
  appreciated.

  Hi,
  Have you tried this?
  How to assign a private key to a new certificate after you use the Certificates snap-in to delete the original certificate in Internet Information Services
  http://support.microsoft.com/kb/889651
  Best Regards,
  Amy