Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 364
  • Last Modified:

Domain SSL certificate Replacement

Hello Experts

We currently have a UCC SSL certificate purchased from GODADDY,
And we want to change the SSL certificate to a WILDCARD.
My questions are as follows:

1. What is the Best practice for demolish the current cert and creating the new wildcard one.
2. What to do with the Implications on the Exchange, ActiveSync sync while without an SSL.
3.  How to Verify that the new * SSL will be able to work with multiple private keys, which means different servers. Please check also if there's a private-keys/servers limitation.
I would be glad if you can assist me on this issue,
Thank you.
1 Solution
Jaroslav MrazCTOCommented:
For bether know how certicate works we must start from end.

How woud you know that this will work. You must knowthat wildcard certificate have only ONE PRIVATE KEY it just have more dns names in side of it. So if you wanted this working you must have for every wilde name A grade DNS to your server and import certificate inside every IIS instance.

You can also do one thing if you have more domains you can buy Certificate for your own microsoft Certification Autority and you can then make any certificate and all of them will be trusted becouse ROOT CA signs your CA and then you are save.
reed more here http://www.davidpashley.com/articles/cert-authority.html

Best practice is to make new Certificate on autority then use replace function on every servis for example in IIS it is import new certificate and then activate of it. After you replace certificate on every service you will go to managment panel of CA and revoke your certiciate (rewoking is dont trust this cert any more) and ict the same like destruction becouse it cant be used anywere.

I have using wilcardcert from Entrust with no problem for our Exchange environment and also our NPS for wireless authentication.

These what I've done, other experts might have better way:

1. Before disposing old cert, install the new cert first and then remove the old one.

2. I using this page to help me setup exchange server, but I believe you do know how to do it, http://msmvps.com/blogs/nunoluz/archive/2008/04/09/step-by-step-adding-ssl-certificate-to-exchange-server-and-windows-mobile-devices.aspx

I did got into problem with it as the private key not exportable. So you need to make sure the private key used to generate CSR are exportable else you have to go long way - which might end up the cert cannot be deploy.

3. The wildcard cert works different, but if you have private key exportable than it make your life easier. You can navigate here to our OWA exchange site, https://mail1.usm.my  and https://mail2.usm.my  you will notice we are using wildcard cert. I not be able to show you the using on NPS because it is between the Wireless Controller and NPS server only.

I've went thru difficulties to make it happened, as advice to my self too. Next time, I will make sure the private key is mark exportable before creating the CSR. Then deploy the cert received from CA to the server and then export out *.pfx file with private key include. After that all thing will be easy.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now