SBS 2003 migration to 2008 R2 and Exchange 2010 - best way to deal with SSL Certificate?

Hi All,

I've been working from the excellent post on migration: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2881-Migrate-Small-Business-Server-2003-to-Exchange-2010-and-Windows-2008-R2.html?sfQueryTermInfo=1+10+2003+2008+2010+30+exchang+r2+sb

The only difference being that i wanted to use our existing (SBS) SSL certificate on the new 2008R2 server so that weboutlook and users pda's, outlook - rpc over https settings etc would not all need to be changed, to this end I followed this handy guide: http://www.jppinto.com/2009/04/moving-ssl-certificate-fwindows-2003-server-windows-server-2008/

After running though the process on our test setup a few times it all seemed cool, but when doing the live migration over the weekend (of dec 10th,11th,12th) we hit snag after snag (as is always the case i guess!).  Anyway the result was that by early monday morning I decided to abort the mission and roll back to Fridays' backup (acronis to the rescue). Reviewing what happened, it all seemed to go disastrously wrong around the SSL certificate, for some reason when people started connecting remotely the server would lock up and require a hard reboot.

So anyway, I now have a few quiet days where we're closed for chrimbo and i can rerun the process (avoiding time consuming pitfalls from first run) to get this working properly - can anyone tell me if what i'm trying to do is reasonable or do i basically have to take it on the chin and install brand new certificate? Any useful pearls of wisdom or helpful war stories regarding setup of owa, activesync and rpc-https on 2008R2/Exchange 2010 will get points! (I'm not using Forefront btw)

- Lenny
Mad_LennyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Glen KnightCommented:
Glad you like my migration guide :)

To be honest, bite the bullet, save all the hassle and pay $60 for a new cert using the certificate wizard from my guide to generate the CSR.

It will save you a lot of hassle in the long run :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dhew001Commented:
Unlike 2003 security with SSL, 2008 requires a deployment of the cert.  You cannot simply have one on the client machine.  I would recreate the self-signed cert and use the deployment tool to package it and give it to the clients.   I have done many of these migrations and have never found a simpler way around the new security.  Plus, you will add more time to the cert and will not have to deal with it expiring for a few years.
Glen KnightCommented:
Exchange 2010 sets up a self signed cert.

I am assuming the author us talking about a 3rd party certificate that they would like to migrate to the Exchange 2010 server.

I forgot to mention in my first post that SBS doesn't require a SAN/UCC certificate whereas Exchange 2010 does.

Not sure why the deployment tool has been mentioned? I have never had to do this with any version of SBS or Exchange.
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

Mad_LennyAuthor Commented:
Hi guys, thanks for the responses...yes I do have a 3rd party certificate on the SBS server (due to run out in not too distant June 2011). Given what you're saying then I'm prepared to go along with getting a new cert.

silly question, but I take it that I cant buy a new cert with the same name?
Glen KnightCommented:
Depending on the provider you may be able to re-key the certificate for free with the new CSR generated from the Exchange 2010 server.
Mad_LennyAuthor Commented:
the provider was Equifax, but I'm coming round to liking the idea of a clean start now - it also means i can add the users machines/devices in a controlled manner instead of having them all bashing against the new server at once...will let you know how it goes!
dhew001Commented:
Demazter - I had to package and deploy the self signed cert for users to run remote workplace on 2008 and for Blackberry.  You can't just download it from the site like with 2003.

Mad Lenny - A new cert may fix the issue and get rid of the headache.  Besides, a clean start will get rid of a lot of ADO schema issues.  Good luck!
Mad_LennyAuthor Commented:
thanks guys, gave demazter lions share of points (it is your guide I'm following afterall!)

Well, I created and installed a new certificate and owa works fine now but there is a problem with outlook clients (certificate warning) and mobile devices (cannot connect to server)...if i can iron these out I'm home and dry - will post them in a new question though.
Glen KnightCommented:
>>You can't just download it from the site like with 2003.
you most certainly can!!
Glen KnightCommented:
>>Well, I created and installed a new certificate and owa works fine now but there is a problem with outlook clients (certificate warning) and mobile devices (cannot connect to server)

What names did you add to the certificate?
Mad_LennyAuthor Commented:
managed to sort the internal outlook client security message by running the first command in this KB: http://support.microsoft.com/kb/940726

Just trying to get the remote outlook client to connect properly now before moving onto mobile devices. As for the names i added to the certificate, i simply copied the same format used in the guide jpeg for that bit. (webmail.mydomain.co.uk).
Mad_LennyAuthor Commented:
oops, i fell for the old you need to "Enable Outlook Anywhere" gag. Just mobile devices to go now
 
Mad_LennyAuthor Commented:
mobiles done, inbound/outbound mail done - time for a victory whisky then snooze. 4 days/nights and one extremely p*****d off (but understanding) girlfriend later, it is done, will be glad when we can finally shift all this onto the cloud.

"if you're reading this....you are the resistance!"
Glen KnightCommented:
Good work! Now go and spend some time with your girlfriend!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.