We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
Course Of The Month
11 days, 15 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Install amended UCC/SAN SSL certificate on Exchange 2010
Posted on 2010-11-28
I have an Exchange 2010 system running off of a single server and I have installed a GoDaddy UCC/SAN SSL certificate with the following domains:
redwoodskills.com
autodiscover.redwoodskills
I have been having issues getting autodiscover/Outlook/handh
I have requested an additional SAN (Subject Alternate Name) of webmail.redwoodskills.com be added to the SSL certificate and this has been authorised and the certificate is ready to download and install.
Problem:
The original certificate was purchased using a CSR from the Exchange 2010 server and installed by Completing Pending Request etc...
Has anyone any instructions for how to "update" the existing SSL certificate with the new amended one as GoDaddy's instructions are not very clear on this?
I've seen plenty of noise on the Internet about SSL certificate issues and I'm terrified of breaking what is a semi-working system at present.
Thanks
Brian
redwoodskills.com
autodiscover.redwoodskills
I have been having issues getting autodiscover/Outlook/handh
I have requested an additional SAN (Subject Alternate Name) of webmail.redwoodskills.com be added to the SSL certificate and this has been authorised and the certificate is ready to download and install.
Problem:
The original certificate was purchased using a CSR from the Exchange 2010 server and installed by Completing Pending Request etc...
Has anyone any instructions for how to "update" the existing SSL certificate with the new amended one as GoDaddy's instructions are not very clear on this?
I've seen plenty of noise on the Internet about SSL certificate issues and I'm terrified of breaking what is a semi-working system at present.
Thanks
Brian
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
8
5
14 Comments
Akhater
Thanks for the prompt response.
So, I disregard the pending download GoDaddy have offered me?
After that, what happens next?
I have just gone to the Exchange 2010 server to create a new CSR and noticed that it doesn't like my existing certificate:
Help...., what does this mean?
This SSL lark is too complicated.
If I create a new CSR as per GoDaddy instructions and rekey my existing SSL certificate what do I do about the existing certificate, and also the Intermediate Certificate Bundle that was originally downloaded and installed?
I'm feeling very, very nervous.
Brian
Thanks for the prompt response.
So, I disregard the pending download GoDaddy have offered me?
After that, what happens next?
I have just gone to the Exchange 2010 server to create a new CSR and noticed that it doesn't like my existing certificate:
Help...., what does this mean?
This SSL lark is too complicated.
If I create a new CSR as per GoDaddy instructions and rekey my existing SSL certificate what do I do about the existing certificate, and also the Intermediate Certificate Bundle that was originally downloaded and installed?
I'm feeling very, very nervous.
Brian
Akhater
I've just tried to create a new CSR on the Exchange 2010 server and it won't allow me to. It only gives me the option of a wildcard certificate. Is this because a certificate already exists?
You will notice that there are two certificates on my Exchange 2010 server. The original self cert and my GoDaddy one. When I installed the GoDaddy certificate I remember it asking me about transferring services over from an existing certificate and I declined. Was that wrong? Should I remove the self cert certificate?
Have you any idea what the current status of the Exchange system is regards OWA and handhelds with the SSL certificates in their current state?
I await your response (eagerly).
Brian
I've just tried to create a new CSR on the Exchange 2010 server and it won't allow me to. It only gives me the option of a wildcard certificate. Is this because a certificate already exists?
You will notice that there are two certificates on my Exchange 2010 server. The original self cert and my GoDaddy one. When I installed the GoDaddy certificate I remember it asking me about transferring services over from an existing certificate and I declined. Was that wrong? Should I remove the self cert certificate?
Have you any idea what the current status of the Exchange system is regards OWA and handhelds with the SSL certificates in their current state?
I await your response (eagerly).
Brian
Active today
It looks like you generated the certificate with the incorrect server name.
Using the Exchange Management Shell type (replacing the server names with your server's names):
FIRST ENTER THIS:
$Data = New-ExchangeCertificate -GenerateRequest -DomainName mail.company.com, autodiscover.company.com, RES-EXS, RES-EXS.company.local -Friendlyname mail.company.com -PrivateKeyExportable:$tru
NEXT ENTER THIS:
Set-Content -path "C:\certificate_request.tx
Then, your correct certificate request will be at "C:\certificate_request.tx
Once you have the downloaded certificate you can import it in the Exchange Management Shell like so (again replacing the cert name with your cert's name):
Import-ExchangeCertificate
Remove the -DoNotRequireSSL if you do want to require SSL.
The intermediate certificate bundle is the same no matter what so you don't need to worry about that being installed...no reason to get nervous here either. Just make sure you use the correct name of the server "RES-EXS"
Using the Exchange Management Shell type (replacing the server names with your server's names):
FIRST ENTER THIS:
$Data = New-ExchangeCertificate -GenerateRequest -DomainName mail.company.com, autodiscover.company.com, RES-EXS, RES-EXS.company.local -Friendlyname mail.company.com -PrivateKeyExportable:$tru
NEXT ENTER THIS:
Set-Content -path "C:\certificate_request.tx
Then, your correct certificate request will be at "C:\certificate_request.tx
Once you have the downloaded certificate you can import it in the Exchange Management Shell like so (again replacing the cert name with your cert's name):
Import-ExchangeCertificate
Remove the -DoNotRequireSSL if you do want to require SSL.
The intermediate certificate bundle is the same no matter what so you don't need to worry about that being installed...no reason to get nervous here either. Just make sure you use the correct name of the server "RES-EXS"
Akhater
I've just test OWA and that still works and I've sent a test email to my own account from a Blackberry running email from the Exchange 2010 server and that arrived.
I'm interested to know why when it appears that the Exchange 2010 server doesn't like my GoDaddy UCC/SAN SSL certificate.
Brian
I've just test OWA and that still works and I've sent a test email to my own account from a Blackberry running email from the Exchange 2010 server and that arrived.
I'm interested to know why when it appears that the Exchange 2010 server doesn't like my GoDaddy UCC/SAN SSL certificate.
Brian
Active today
You'll need to remove the old certificates...using the Exchange Management Shell:
TYPE : Get-ExchangeCertificate > C:\thumbprint.txt
Open C:\thumbprint.txt and copy the certificate thumbprint out of the text file and :
TYPE : Remove-ExchangeCertificate
Then, you can import the new, correct, certificate.
TYPE : Get-ExchangeCertificate > C:\thumbprint.txt
Open C:\thumbprint.txt and copy the certificate thumbprint out of the text file and :
TYPE : Remove-ExchangeCertificate
Then, you can import the new, correct, certificate.
Renazonse
You've uncovered another problem I have here which I will explain.
The internal domain was named redwood.co.uk on installation and the Exchange server is known as RES-EXS.redwood.co.uk. It's too late to change that now.
That domain name (redwood.co.uk) does not belong the company that owns the server. They use a domain name redwoodskills.com on the Internet, which is why the GoDaddy SSL certificate references redwoodskills.com. GoDaddy will not issue a certificate that references redwood.co.uk as it doesn't belong to me or the company I am working on behalf of. I have autodiscover.redwoodskills
I have been having issues getting autodiscover to work correctly both with OWA and handhelds (Blackberry and IPhone) and Outlook internally is now bleating about certificate problems. I am referencing an article on MSExchange.org on Exchange Autodiscover which appears to offer a correct setup for my environment. I don't know when the Exchange server decided it didn't like my original GoDaddy certificate but suspect it happened some time after installation.
All I want to do is add another SAN to the certificate and install it on the Exchange server to follow the instructions on MSExchange.org.
I've asked the question of Akhater, but I'll ask you too. Should I remove the Exchange self cert certificate shown above?
Many Thanks
Brian
You've uncovered another problem I have here which I will explain.
The internal domain was named redwood.co.uk on installation and the Exchange server is known as RES-EXS.redwood.co.uk. It's too late to change that now.
That domain name (redwood.co.uk) does not belong the company that owns the server. They use a domain name redwoodskills.com on the Internet, which is why the GoDaddy SSL certificate references redwoodskills.com. GoDaddy will not issue a certificate that references redwood.co.uk as it doesn't belong to me or the company I am working on behalf of. I have autodiscover.redwoodskills
I have been having issues getting autodiscover to work correctly both with OWA and handhelds (Blackberry and IPhone) and Outlook internally is now bleating about certificate problems. I am referencing an article on MSExchange.org on Exchange Autodiscover which appears to offer a correct setup for my environment. I don't know when the Exchange server decided it didn't like my original GoDaddy certificate but suspect it happened some time after installation.
All I want to do is add another SAN to the certificate and install it on the Exchange server to follow the instructions on MSExchange.org.
I've asked the question of Akhater, but I'll ask you too. Should I remove the Exchange self cert certificate shown above?
Many Thanks
Brian
Active today
Wow...I'm not sure you're ever going to get this to work properly without getting your full internal server name added to the cert but I guess you don't have much of an option right now...sounds like you'll just have to leave the RES-EXS.redwood.co.uk out of the generated cert.
It's my understanding that Autodiscover is definitely not going to work on alternate port...read Sembee's remarks in this thread: http://forums.msexchange.org/m_1800487312/mpage_1/key_/tm.htm#1800487335
Remove the complaining and incorrect certificates and continue where you're going.
It's my understanding that Autodiscover is definitely not going to work on alternate port...read Sembee's remarks in this thread: http://forums.msexchange.org/m_1800487312/mpage_1/key_/tm.htm#1800487335
Remove the complaining and incorrect certificates and continue where you're going.
Renazonse
I think I am nearly there. I don't have an External URL setup for OWA and other services and the MSExchange.org article seems to fill in the blanks as far as having an internal URL different from an external URL and using split DNS. I am wanting to use webmail.redwoodskills.com rather than referencing autodiscover.redwoodskills
You probably understand that I'm not an expert with this stuff, suppose I should be as I've been at it a long long time, but it really is getting too complicated now...and I'm old :-).
It looks as if I will have to remove the original GoDaddy certificate before I can create another CSR but I'm worried what effect that is going to have on an already creaking system, and how long it takes GoDaddy to issue new certificates.
OWA work fine both externally and internally and Out-of-Office functionality works.
Outlook works internally but Out-of-Office doesn't work.
Handhelds are problematic, some work some don't, bit that's for another time.
I'm also not too clever with the Exchange Shell and would prefer to use the GUI. Can I remove the existing certificates using the GUI correctly, and should I remove both as shown above?
I've had enough today so I'll pick this back up in the morning.
The end user is 200 miles from me and I don't really want to have to visit them again as this job is already costing me money :-(.
Thanks again
Brian
I think I am nearly there. I don't have an External URL setup for OWA and other services and the MSExchange.org article seems to fill in the blanks as far as having an internal URL different from an external URL and using split DNS. I am wanting to use webmail.redwoodskills.com rather than referencing autodiscover.redwoodskills
You probably understand that I'm not an expert with this stuff, suppose I should be as I've been at it a long long time, but it really is getting too complicated now...and I'm old :-).
It looks as if I will have to remove the original GoDaddy certificate before I can create another CSR but I'm worried what effect that is going to have on an already creaking system, and how long it takes GoDaddy to issue new certificates.
OWA work fine both externally and internally and Out-of-Office functionality works.
Outlook works internally but Out-of-Office doesn't work.
Handhelds are problematic, some work some don't, bit that's for another time.
I'm also not too clever with the Exchange Shell and would prefer to use the GUI. Can I remove the existing certificates using the GUI correctly, and should I remove both as shown above?
I've had enough today so I'll pick this back up in the morning.
The end user is 200 miles from me and I don't really want to have to visit them again as this job is already costing me money :-(.
Thanks again
Brian
The certificate is invalid for Exchange Server usage error appears to be an issue with revocation lists whatever they are, so I'm investigating further.
Active today
You don't have to remove the existing cert to generate the new one...once the new cert is generated the old one will cease to work and you'll need to install the new one then.
You should be able to right click on the certificates listed in your screenshot to remove them:
http://msexchangegeek.com/2009/05/13/exchange-2010-emc-and-certificates-management-part-1
You should be able to right click on the certificates listed in your screenshot to remove them:
http://msexchangegeek.com/2009/05/13/exchange-2010-emc-and-certificates-management-part-1
Renazonse
I took your advice and called GoDaddy but they were no help.
I appear to be going around in circles.
I think I am going to have to:
1) Remove the original GoDaddy certificate
2) Generate a new CSR
3) Send the CSR to GoDaddy to ReKey the certificate
4) Install the new certificate,
but
What adverse effects will I encounter on Removing the original certificate?
What about the Intermediate Certificate Bundle shipped with the original certificate? Will that need removing/reinstalling with the new certificate?
This is Hell....
Brian
I took your advice and called GoDaddy but they were no help.
I appear to be going around in circles.
I think I am going to have to:
1) Remove the original GoDaddy certificate
2) Generate a new CSR
3) Send the CSR to GoDaddy to ReKey the certificate
4) Install the new certificate,
but
What adverse effects will I encounter on Removing the original certificate?
What about the Intermediate Certificate Bundle shipped with the original certificate? Will that need removing/reinstalling with the new certificate?
This is Hell....
Brian
Active today
You don't have to remove the certificate until you're ready to install the new one. Once the certificate is rekeyed it will disable the old one and you'll be ready to install at that point.
You don't have to worry about the intermediate certs that come with the certificate from GoDaddy...those are just updated trusted root certs and they never have to be removed and they are identical with every certificate that's issued at GoDaddy.
Your process listed above is the way to go...the certs are usually issued within a couple of hours at GoDaddy so there should be little or no downtime.
You don't have to worry about the intermediate certs that come with the certificate from GoDaddy...those are just updated trusted root certs and they never have to be removed and they are identical with every certificate that's issued at GoDaddy.
Your process listed above is the way to go...the certs are usually issued within a couple of hours at GoDaddy so there should be little or no downtime.
Featured Post
Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Recipients >> Sha…
This video discusses moving either the default database or any database to a new volume.
Suggested Courses
Earn Certification
HTML5 Specialist - Certification
Free withPremium
Course of the Month11 days, 15 hours left to enroll
Earn Certification
MTA Mobility Device Fundamentals (Exam 98-368)
$59.00$53.10
623 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.