bhgewilson
asked on
What SAN do I need
My domain name is
dolphinteac.com
My server name is ad-svr.dt.local
My MX record will be mail.dolphinteac.com
I think my common name should be mail.dolphinteac.com
Should my san be
ad-svr.dt.local
ad-svr
autodiscover.dolphinteac.c om
autodiscover.dt.local
dolphinteac.com
My server name is ad-svr.dt.local
My MX record will be mail.dolphinteac.com
I think my common name should be mail.dolphinteac.com
Should my san be
ad-svr.dt.local
ad-svr
autodiscover.dolphinteac.c
autodiscover.dt.local
I have to disagree with the above about not having the NETBIOS name in the certificate. It can cause problems if it is not in there. If you are using UM it must be in there, if it isn't then Exchange simply generates a self signed certificate.
You do not need autodiscover.domain.local.
I have instructions on the full process here:
http://blog.sembee.co.uk/archive/2008/05/30/78.aspx
Simon.
You do not need autodiscover.domain.local.
I have instructions on the full process here:
http://blog.sembee.co.uk/archive/2008/05/30/78.aspx
Simon.
ASKER
I have been working on this for a while. I did do the netbios name and I have outlook working with local servername. Now OWA is stalling. I tried to go into enable-exchangecertificate and put in thumbprint. This tells me that the thumbprint can not be found.
"the certificate with thumbprint "XXX" was not found.
Line1 Char27.
I have the right SAN names but I fear that I need to disable and re-enable a cert and I am not sure how.
"the certificate with thumbprint "XXX" was not found.
Line1 Char27.
I have the right SAN names but I fear that I need to disable and re-enable a cert and I am not sure how.
You have bought the certificate and installed it?
If you do get-exchangecertificate it will show you the current installed certificates and the thumbprint of them.
Simon.
If you do get-exchangecertificate it will show you the current installed certificates and the thumbprint of them.
Simon.
ASKER
Yes I tried two different things.
1- I tried to import it and I got the message that it can not import as there is already a certificate with thumbprint 4afn........
and fails
2- I tried get-exchange certificate and show full and it does not show this thumbprint.
3- I tried to enable all certificates in get-exchange and it only works on the server netbios name. The thumbprint it shows in import should be able to enable also right?
Brad
1- I tried to import it and I got the message that it can not import as there is already a certificate with thumbprint 4afn........
and fails
2- I tried get-exchange certificate and show full and it does not show this thumbprint.
3- I tried to enable all certificates in get-exchange and it only works on the server netbios name. The thumbprint it shows in import should be able to enable also right?
Brad
Lets just be clear here.
You generated the request, sent it to the provider.
The provider returned the certificate and you then ran the import command?
At that point if you run get-exchangecertificate, the new certificate should show with no services next to it.
The thumbprint changes from what you have received from the certificate provider to what is installed in Exchange.
If you run get-exchangecertificate |fl it will show you the complete list, which includes who issued the certificate.
Simon.
You generated the request, sent it to the provider.
The provider returned the certificate and you then ran the import command?
At that point if you run get-exchangecertificate, the new certificate should show with no services next to it.
The thumbprint changes from what you have received from the certificate provider to what is installed in Exchange.
If you run get-exchangecertificate |fl it will show you the complete list, which includes who issued the certificate.
Simon.
ASKER
import-exchangecertificate -path "C:\certpath\mail.domain.c om.crt"
I receive a message stating "cannot import as there is already a thumbprint with the certificate 4af9.....
From there I hit get-exchangecertificate |fl
I get all are invalid except the very last one.
AccessRules : {System.Security.AccessCon trol.Crypt oKeyAccess Rule, System.Security.AccessCont rol.Crypto KeyAccessR ule, System.Security.AccessCont rol.Crypto KeyAccessR ule}
CertificateDomains : {ad-svr, ad-svr.cltped.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=ad-svr
NotAfter : 8/21/2010 3:06:29 PM
NotBefore : 8/21/2009 3:06:29 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 33275464697AD39F4B17BF95DE 620D27
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=ad-svr
Thumbprint : 91042B6A0008A31EFEDA9D59F9 B352698AFE AD18
Now should my actual certificate be there listed with mail.domain.com and netbios.domain.local
What gives.
here is a show of my digicert generated csr.
New-ExchangeCertificate -GenerateRequest -Path c:\mail_cltpediatricdentis try_com.cs r -KeySize 1024 -SubjectName "c=US, s=NC, l=Charlotte, o=, cn=mail.cltpediatricdentis try.com" -DomainName autodiscover.cltpediatricd entistry.c om, autodiscover.cltped.local, ad-svr.cltped.local, ad-svr -PrivateKeyExportable $True
I receive a message stating "cannot import as there is already a thumbprint with the certificate 4af9.....
From there I hit get-exchangecertificate |fl
I get all are invalid except the very last one.
AccessRules : {System.Security.AccessCon
CertificateDomains : {ad-svr, ad-svr.cltped.local}
HasPrivateKey : True
IsSelfSigned : True
Issuer : CN=ad-svr
NotAfter : 8/21/2010 3:06:29 PM
NotBefore : 8/21/2009 3:06:29 PM
PublicKeySize : 2048
RootCAType : None
SerialNumber : 33275464697AD39F4B17BF95DE
Services : IMAP, POP, IIS, SMTP
Status : Valid
Subject : CN=ad-svr
Thumbprint : 91042B6A0008A31EFEDA9D59F9
Now should my actual certificate be there listed with mail.domain.com and netbios.domain.local
What gives.
here is a show of my digicert generated csr.
New-ExchangeCertificate -GenerateRequest -Path c:\mail_cltpediatricdentis
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Are you using the Exchange management shell to create your certificate request or are you going about this directly on your certificate authority's website?