networkn
asked on
renew ssl certificate with exchange 2007
We used Godaddy to provide our SSL certificates for both IIS and Exchange itself for the host smtp.domain.co.nz which is what our internal and external dns resolves to. This is working fine but the certificate has a 2 year expiry which happens tomorrow. I am trying to determine that if I use the renew option with godaddy, how I get iis to accept the certificate and how I apply this to IIS and Exchange 2007? Will the renew process ask me to get another CSR from the IIS server?
I was under the impression in order to put a certificate into iis, you had to make a certificate request (CSR) which you then give to GD, and then complete the request when the cert is issued by godaddy?
Also what is the command to overwrite the certificate in exchange?
I want to make sure the entire process is as seamless to the end users as possible. Last time we went from self signed to externally provided ssl, for a while each outlook client got a ssl certificate prompt on the workstation.
I am a little familiar with IIS/Exchange 2007 and SSL, but nice simple explanations please :)
It's possible this client wants to change the domain name, and use this instead of what they have, can I request a certificate which would work for smtp.domain1.co.nz and smtp.domain2.co.nz at the same time?
Here's the help link on Godaddy regarding how to renew your cert: http://help.godaddy.com/topic/752/article/4802 It's pretty straight forward. It will automatically overwrite the old one when you install it. You can't install more then one SSL certificate per IP address on your web server. You CAN install multiple SSL certificates on a web server as long as there are multiple IP's assigned to the web server.
ASKER
Thanks, this helps, how do I get that cert into exchange 2007 ? Just need to ensure tomorrow the Outlook clients don't get an error about expired certificate.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
http://www.globalsign.com/support/install/ex_2007.php
I found this, but it refers to .cer and my GD certificate is P7b and crt,
There are already certs in exchange, how can I examine them more closely to see when they expire?
I found this, but it refers to .cer and my GD certificate is P7b and crt,
There are already certs in exchange, how can I examine them more closely to see when they expire?
Rename the crt to cer
ASKER
shreedhar:
How can I see the ssl certificates already in Exchange in more detail? I am trying to see when they will expire. My records show they should have already expired but they haven't (No errors opening outlook).
How can I see the ssl certificates already in Exchange in more detail? I am trying to see when they will expire. My records show they should have already expired but they haven't (No errors opening outlook).
Get-ExchangeCertificate | fl
ASKER
Ok thanks. I can see, that based on that command, I have a date invalid certificate for smtp service, but my new ssl cert is installed and working on service iis, I presume there must be a way to get the iis service cert to work for smtp service, pop3, and imap, how do I do that? Are there any other services I should ensure the certificate is installed for?
The thumbprint of the correct cert is something like E6E6BDF27D3EEF25B0F2A828F2
I also see some other certificates, showing as valid, but services are set to none, can I remove these without consequences?
The thumbprint of the correct cert is something like E6E6BDF27D3EEF25B0F2A828F2
I also see some other certificates, showing as valid, but services are set to none, can I remove these without consequences?
Enable-ExchangeCertificate
ASKER
Is that all the services I need to add? What is the service that handles the client to server certificate ?
ASKER
After running that command it seems like both certificates are assigned to pop, imap, smtp, iis.
Should this be the case? Should I remove the old one?
Should this be the case? Should I remove the old one?
You can remove the expired certificate.