[Webinar] Learn how to a build a cloud-first strategyRegister Now


Exchange 1024 SSL update to 2048  EV SSL OWA

Posted on 2011-04-22
Medium Priority
Last Modified: 2012-05-11
We have Exchange 2003 Enterprise. I am upgrading the SSL cert for our default website in IIS 6. The current SSL certificate is 1024 bit. In order to renew with a 2048 bit using the same common name, friendly name, web site, etc. microsoft recommend creating a temp site, process the request and install the certificate then remove and replace in the default site (primary exchange services).

This all sounds good but does it work? I want to mimise downtime.

Is there any other considerations ie devices or browsers which will not supporting 2048 bit SSL.

Thanks in advance
Question by:BerryGardens
  • 4
  • 3

Expert Comment

ID: 35451424
This is the only solution to minimize the down time.

As removal so CERT and adding a new one will max take 30 seconds

if u want to minimize that go to Exchange virtual directory and uncheck "SSL Required" > do iisreset

after installing and doing all the changes check "SSL Required" > do iisreset

but the second option will take almost the same downtime as the first one

Author Comment

ID: 35452473
Won't this expose mail while SSL is unchecked?

Expert Comment

ID: 35453192
ya agreed , as i mentioned in my first comment : the best thing that u can do is what Microsoft recommended you to do. that will have minimum downtime
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.


Author Comment

ID: 35453436
I agree it sounds sensible to the letter (guaranteed way of fully testing the SSL prior to expiry). but I'm experienced enough to know this isnt always the a wise choice hence sites like experts exchange exchange org :) have you done this succesfully in live? because another consideration is the time it takes to process a new request upload it to a third party CA and wait for it to be approved and sent back. 5 mins + advice not worthy of the points sorry but least you agree.  

Accepted Solution

praveenkumare_sp earned 2000 total points
ID: 35458058
i have done this in production :)

i created a 2nd website , created request file, gave it to the third party CA and when it got processed i downloaded it (all this time my primary website that has exchange running was not disturbed at all)

Once i got the certificate , went to the website that has exchange remove it , added the new certificate
(The BEST thing is that you dont need to do IISRESET so ur clients will not be disconnected)
this took me max of 30 seconds , just u need to click next , next finish

TIP: YOU CAN practice the removal and addition of new certificate in the new website that u created before doing it on production to make Ur self familiarize with the GUI

Author Comment

ID: 35458279
Well answered I did the same yesterday in test. I'll give it a go. Thanks for all the comments.

Expert Comment

ID: 35458850
ur welcome berry :)

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you looking for the options available for exporting EDB files to PST? You may be confused as they are different in different Exchange versions. Here, I will discuss some options available.
Eseutil Hard Recovery is part of exchange tool and ensures Exchange mailbox data recovery when mailbox gets corrupt due to some problem on Exchange server.
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

865 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question