• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 448
  • Last Modified:

Need to modify current Exchange 2007 setup from using two SSL certs (one for Autodiscover), to one UCC cert.

Our environment currently has two CAS servers (CAS1 and CAS2), and two mailbox servers (all using Server 2008).  The mailbox servers are clustered (CCR), and only one of the two CAS servers are being utilized right now, but will soon be load-balanced (and will be called CAS).  On the current CAS server (CAS2), we have two virtual directories in IIS, one for Autodiscover, and one for OWA (the Default Website), with one SSL cert tied to each (autodiscover.domain.com, and mail.domain.com).  Everything works fine, but some people using laptops that are not on our domain and are offsite, have difficulties.  I am about to purchase a UCC cert, and wish to combine both of the virtual directories, having just the one cert tied to it.

The UCC cert (common name:  mail.domain.com) will include the following SANs:  

We need the .net and .com, as some people in our company use both.  Anyways, what is the easiest way to change from one way of doing things to the other?  And what all has to be done?  Thanks for the help! :)
  • 4
  • 3
1 Solution
Ok, first, make sure the whois e-mail info is correct for both domains.

Use this page to generate the request command:
paste the request into the Exchange Management Shell; use the resulting data to purchase the certificate.
Download the UCC cert

Run this from the Exchange shell to get the thumbprints of your old certs:
Get-ExchangeCertificate | FL *

Remove all the old certs:
Remove-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxx

run MMC and use the Certificates snap-in to install the new certificate
Run this from the Exchange shell to get the thumbprint of your new cert:
Get-ExchangeCertificate | FL *

Run this shell command to set Exchange to use the new UCC certificate:
Enable-ExchangeCertificate -Services "IIS, IMAP, POP, SMTP"  -Thumbprint xxxxxxxxxxxxxxx
redmanjbAuthor Commented:
Thank you for the reply.  I've already purchased and created the cert, but my question is about the virtual directories in IIS.  Right now there is one called Autodiscover and another called Default Website (for OWA)...
Are users getting a certificate error? You should remove the old certificates to ensure they they don't get the wrong one. What is your question about the virtual directories?
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

redmanjbAuthor Commented:
This question is only about the virtual directories.  Things are working ok now, but, the configuration needs to change from a 2 SSL Cert setup, to a one UCC SSL Cert setup.

Right now, in IIS on the Client Access Server, we have the following virtual directories:
Autodiscover (for autodiscover.domain.com)
Default Website (for smtp.domain.com)

There is one cert tied to each virtual directory.  And each virtual directory has an IP address bound to it.

The problem with our current setup is that we are forced to use two different IP addresses for IIS, one for each virtual directory.  This is preventing us from setting up load-balancing for the Client Access Server, as we'd only be able to load-balance one of the IP addresses (the one for OWA, and not autodiscover).  Therefore, we need to set up Exchange and IIS to use one virtual directory which is protected by a UCC cert.  This is the ideal way to set up Exchange 2007, and is the ideal way for us because we'd be able to load balance both OWA and Autodiscover.
Ok, I'm still not clear on where you're stuck. Have you tried to remove the old certificates and use the new one? The ip is bound to the website, not the virtual directory. Do you have one of the virtual directories in a different website? Why are you forced to use two ip addresses?

You should be able to use the same certificate for both virtual directories. The ip address isn't in your UCC certificate, so it shouldn't matter what ip you use. As long as DNS resolves correctly and the URL matches your cert, it should work.
redmanjbAuthor Commented:
I had stepped away from this issue for quite awhile, but ended up resolving it.  I had to delete the virtual directories in IIS, and run a command in EMS to basically uninstall autodiscover and reinstall it, which put the virtual directory in the correct place and configured everything...which is what I was trying to get assistance with, stating again and again that the question was about the virtual directories, not IP addresses or certs.  The cert had already been created with the appropriate SANs, and IP addressing wasn't an issue at all.

I do appreciate your input though LaserSpot...thank you.
redmanjbAuthor Commented:
Moderators, please close this question, as it has been resolved.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now