[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 627
  • Last Modified:

Cleaning up self signed SSL's in SBS 2011

I've purchased and installed a SAN SSL cert, which includes the external FQDN, external autodiscover, internal FQDN, internal netbios name, and internal autodiscover.

It's installed and assigned for IMAP, POP, IIS, and SMTP, simply since those were the default services the self signed one from the install was assigned to.

Default install left me with six SSL certs before purchasing a third party one, and I assume the ones it generated for the subject names I've replaced with a valid third party cert can be deleted, but there are a couple I want to double check about since I'm assuming I need to just leave them in place since they appear to be other system level ones not associated with any normal subject name.

One is self signed with the internal local FQDN of the server, but also has a SAN showing "Other name" DS Object GUID=<long string> as well as that internal FQDN and was assigned SMTP only.

One is a subject "Sites" with a SAN showing DNS name sites, and a DNS name of the internal FQDN.  Assigned SMTP only

One is a subject hame that has the "internal netbios name of the domain - internal netbios name of the server - CA" and has no subject alternate names.  No services are assigned to this.

Last one in question the subject is "CN = WMSvc=WIN-<11 digit string>  with no SAN and no services assigned to it.

The main one that was assigned the same services as my purchased SSL I already removed as it was just the normal names which i was replacing, but these other ones I didn't want to touch until I knew what functions they served.  I don't mind leaving things on the server since it's working, but if any of these can be removed now that we have the SAN SSL, I'd like to do so simply to keep them from throwing nags in the logs when they expire in a year or two.

Thanks for any information.




 
0
networkspecialists
Asked:
networkspecialists
1 Solution
 
Rob WilliamsCommented:
If you ever re-run the "configure my internet address wizard" it will re-generate self signed certificates. There is no need to remove these. As for removing all internal certificates, that can be very risky some are used internally "behind the scenes".
0
 
networkspecialistsAuthor Commented:
I'm aware of this, i'm just trying to find out which are the ones that are required for behind the scenes - I would like to remove the self signed ones that I essentially replaced with the purchased third party cert.  That's why I posed the question as I did - trying to find out which ones are not needed if I've got the third party cert so that I don't have errors nagging the event logs in a year or two when the unused self signed ones expire.  Would rather proactively remove that is *not needed* and just let the 3 year SAN cert handle what it can.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now