rdelrosario
asked on
Best way to REPLACE SSL Certificate on Exchange 2003 OWA site. (host name changed)
We have an exchange 2003 server running OWA on the inside of our network. We use a firewall to NAT over requests to IIS on the exchange server to server OWA mail. However, our host name changed due to a firewall upgrade from MAILABC to MAILXYZ. The certificate is still tied to MAILABC, but the host name that routes to the OWA website is now MAILXYZ. SSL is still enabled and required and still works, but of course the certificate states that the name doesn't match the IP and the standard warning not continue shows up. How can I REPLACE the MAILABC certificate to match the new hostname that routes to OWA to MAILXYZ without causing any problems or downtime.
As an example... people use to go to https://mailabc.test.com/exchange , but it changed to https://mailxyz.test.com/exchange. OWA still works, but they get the cert warning... so I'll I want to do is get a new certificate and then replace the one tied to the OWA website on the exchange server.
What are the steps....
Do I do a remove in the cert wizard or can I do a replace... if I do a replace, don't I need a CSR already pulled so I can choose one to replace with... but then does it matter what the CSR name states.... anything that can clear this up... specifically a step by step (as I know order makes a difference) on how to best accomplish this would be great.
500 points for this.
As an example... people use to go to https://mailabc.test.com/exchange , but it changed to https://mailxyz.test.com/exchange. OWA still works, but they get the cert warning... so I'll I want to do is get a new certificate and then replace the one tied to the OWA website on the exchange server.
What are the steps....
Do I do a remove in the cert wizard or can I do a replace... if I do a replace, don't I need a CSR already pulled so I can choose one to replace with... but then does it matter what the CSR name states.... anything that can clear this up... specifically a step by step (as I know order makes a difference) on how to best accomplish this would be great.
500 points for this.
ASKER
I'm pretty sure that when you select REPLACE CERTIFICATE that you must have another certificate already issued to replace with. How can I issue another CSR if a certificate already exists on that website. (happens to be the default exchange website). Wouldn't I have to remove the certificate from the default website before I can even issue another CSR? more info
have you got ssl from the third party or so
Yes there will be some downtime for OWA until you get the new cert. You will remove the old cert, generate the CSR and when the new cert arrives you will install it.
You probably could delete the request and install the old cert in the mean time, then when the new cert arrives manually place it in the certficate store. Then go back to the default website and replace the old cert with the new cert.
If you are running SBS it is easier to wait and process the request using the internet connection wizard on the certificate page.
You probably could delete the request and install the old cert in the mean time, then when the new cert arrives manually place it in the certficate store. Then go back to the default website and replace the old cert with the new cert.
If you are running SBS it is easier to wait and process the request using the internet connection wizard on the certificate page.
Installing SSL Certificate - Microsoft Internet Information Services 6.x
Once your SSL certificate has been signed and issued,Go Daddy® will send you an e-mail message that allows you to download the signed certificate and our intermediate certificate bundle (gd_iis_intermediates.p7b), both of which must be installed on your Web site.
Note: You must use the provided certificate-download link within three days of receiving the certificate-issuance e-mail message. If the download link is allowed to expire, you must request a certificate re-key in order to retrieve your signed SSL certificate.
NOTE: For Windows NT 4.0, you must have at least Service Pack 4.0 or higher or Microsoft Internet Explorer 5.0.
Installing SSL Certificate and the Intermediate Certificate Bundle (gd_iis_intermediates.p7b)
Before you install your issued SSL certificate you must download and install our intermediate certificate bundle (gd_iis_intermediates.p7b)on your Web server. You may also download the bundle from the repository.
Once you have downloaded and saved the certificate bundle, please follow the instructions below to install it.
Installing Intermediate Certificate Bundle (gd_iis_intermediates.p7b):
Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
In the Management Console, select File; then "Add/Remove Snap In."
In the Add/Remove Snap-In dialog, select Add.
In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
Choose Computer Account; then click Next and Finish.
Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
Follow the wizard prompts to complete the installation procedure.
Click Browse to locate the certificate file (gd_iis_intermediates.p7b).
Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
Click Finish.
Installing SSL Certificate
Select the Internet Information Service console within the Administrative Tools menu.
Select the Web site (host) for which the certificate was made.
Right mouse-click and select Properties.
Select the Directory Security tab.
Select the Server Certificate option.
The Welcome to the Web Server Certificate Wizard windows opens. Click OK.
Select Process the pending request and install the certificate. Click Next.
Enter the location for the certificate file at the Process a Pending Request window. The file extension may be .txt or .crt instead of .cer (search for files of type all files).
When the correct certificate file is selected, click Next.
Verify the Certificate Summary to make sure all information is accurate. Click Next.
Select Finish.
NOTE: If the Go Daddy root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder. Please follow the instructions below to do this:
Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
In the Management Console, select File; then "Add/Remove Snap In."
In the Add/Remove Snap-In dialog, select Add.
In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
Choose Computer Account; then click Next and Finish.
Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
If necessary, click the + icon to expand the Certificates folder so that the Trusted Root Certification Authorities folder is visible..
Expand the Trusted Root Certification Authorities folder.
Double-click the Certificates folder to show a list of all certificates.
Find the Go Daddy Class 2 Certification Authority certificate.
Right-click on the certificate and select Properties.
Select the radio button next to Disable all purposes for this certificate.
Click OK.
NOTE: Do not disable the Go Daddy Secure Certification Authority certificate located in the Intermediate Certification Authorities folder. Doing so will break the server, causing it to stop sending the correct certificate chain to the browser.
well you nee to get that one first and then replace it the way i said to you can but from comanies like komodo or www.thawte.com
look at this article for details
www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
look at this article for details
www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
HI
its the free ssl which is public ones but you need to buy one if you are using it for owa
its the free ssl which is public ones but you need to buy one if you are using it for owa
Otherwise most of the times you will get ssl error or sites will get ssl error
ASKER
murgroup,
When I remove the cert from the default website running OWA... when you say downtime are you saying OWA won't work or can I just say don't require SSL and people can still get on... albeit without SSL encryption? I want the work that I do to be seamless so can you tell me what downtime you are referring to. Again, if I remove the certificate, won't it just act like a regular http site and still serve owa pages seamlessly to my end users?
THANKS
When I remove the cert from the default website running OWA... when you say downtime are you saying OWA won't work or can I just say don't require SSL and people can still get on... albeit without SSL encryption? I want the work that I do to be seamless so can you tell me what downtime you are referring to. Again, if I remove the certificate, won't it just act like a regular http site and still serve owa pages seamlessly to my end users?
THANKS
Yes that is what I was referring to. OWA would be unavailable if you required SSL. You would have to try it with straight http. I'm not sure how that would effect the CSR request.
I'm pretty sure you can create the CSR send it to the certificate authority, godaddy, verisign or rapidssl, then delete the request and install the old cert. Then when the new cert arrives place it in the certificate store manually as my message above shows. The go to IIS and replace the old cert with the new as it will show-up once placed in the store manually.
I'm pretty sure you can create the CSR send it to the certificate authority, godaddy, verisign or rapidssl, then delete the request and install the old cert. Then when the new cert arrives place it in the certificate store manually as my message above shows. The go to IIS and replace the old cert with the new as it will show-up once placed in the store manually.
ASKER
murgroup,
I just tried to turn of "require ssl" and everyting works fine. With that said, do you think the following is the route to go:
1. disable "require ssl". verify that straight http works in the interim.
2. remove the existing cert.
3. create a new cert for the default website matching the new host name.
4. when I get the new cert process the pending cert with the certificate wizard.
5. turn on require ssl afterwards.
* In doing the above there shouldn't be any downtime right?
When you said you weren't sure what would happen with the CSR if I turned off the require ssl, if I removed the SSL requirement prior to removing the cert would that address your concern or am I missing something.
I just tried to turn of "require ssl" and everyting works fine. With that said, do you think the following is the route to go:
1. disable "require ssl". verify that straight http works in the interim.
2. remove the existing cert.
3. create a new cert for the default website matching the new host name.
4. when I get the new cert process the pending cert with the certificate wizard.
5. turn on require ssl afterwards.
* In doing the above there shouldn't be any downtime right?
When you said you weren't sure what would happen with the CSR if I turned off the require ssl, if I removed the SSL requirement prior to removing the cert would that address your concern or am I missing something.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Where you able to replace the certificate. I am currently having the same issue. I need to replace the certificate because the host name of the certificate does not match my URL.
When I try to replace the certificate it only lists the certificate that has the wrong url name. It does not give me the option to browse for the new certificate.
If I remove the SSL OWA works fine. If I import the old certificate it works but it gives me a warning that the url and certificate do not have the same name.
Any help is appreciated.
When I try to replace the certificate it only lists the certificate that has the wrong url name. It does not give me the option to browse for the new certificate.
If I remove the SSL OWA works fine. If I import the old certificate it works but it gives me a warning that the url and certificate do not have the same name.
Any help is appreciated.
Click the "+" next to Websites
Right click and properties on the Default Web Site (or whatever you named it)
Click on the directory security tab
at the bottom click on Server Certificate
Next
Choose Replace the current certificate
and take it from there.
Hope that helps
ScarEye