[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

SSL Cert for multiple CAS

Posted on 2012-08-16
9
Medium Priority
?
1,551 Views
Last Modified: 2012-08-20
I upgrading an Exchange 2003 environment to 2010. What I currently have is:

2 CAS/HT Server - HUBCAS-01.domain.local; HUBAS-02.domain.local
1 Mailbox Server - MBX-01.domain.local

I have created a CAS array by using  New-ClientAccessArray -Fqdn "outlook.domain.local" -Site "Default Site". I have also created a DNS A record that points to a VIP of a hardware load balancer we will be installing.

From HUBCAS-01, I issued a cert request using:

Set-Content -path ".\webmail_company_com.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName autodiscover.company.com -PrivateKeyExportable $True)

After downloading my certificate, I logged into HUBCAS-01, went into MMC and imported the intermediate certificate, and then from EMC, right-clicked the certificate and selected "Complete Pending Request" and selected my new certificate. I then assigned SMTP and IIS services to the certificate.

My question is, how do I get that same certificate into HUBCAS-02, since I did not generate that certificate from that server? And how does that work with the CAS Array?
0
Comment
Question by:Chuck Cobern
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 10

Expert Comment

by:millardjk
ID: 38302346
On the server from which you generated the cert, you must export the cert including the private key. Once you have that file, it can be imported into the private machine store on the second machine.
0
 

Author Comment

by:Chuck Cobern
ID: 38302381
Would using the example at the bottom of this article be the correct way?

http://technet.microsoft.com/en-us/library/aa996305.aspx
0
 
LVL 10

Expert Comment

by:millardjk
ID: 38302416
That looks like a valid PS method.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38303004
My friend you've issued wrong cmdlet.

Here is what you wrote and mentioned below is the corrected entry

Set-Content -path ".\webmail_company_com.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName autodiscover.company.com -PrivateKeyExportable $True)

Set-Content -path ".\webmail_company_com.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName autodiscover.company.com, webmail.company.com, CAS NETBIOS NAME, CAS FQDN -PrivateKeyExportable $True)

Understand if you do not add these names to the cert - you would receive a security alert while working in OL cause you're server name is essential along with your webmail FQDN.

Regards,
Exchange_Geek
0
 
LVL 19

Expert Comment

by:suriyaehnop
ID: 38303219
Importing and Enabling the SAN SSL certificate on the Second Client Access Server in the NLB Cluster

To import the SAN certificate on the second Client Access server in the NLB cluster, we first need to export it from the first Client Access server. When doing so, we need to make sure we export the certificate with its private key. This is done by opening the Certificates snap-in. To open the Certicates snap-in, click Start > Run and type mmc.exe to first open an empty MMC window. Now click File > Add/Remove Snap-in > Add > Select Certificates > Click Add > Select Computer Account > Click Next > Finish > Close and finally OK. Expand Certificates (Local Computer) > Personal, then right-click on the certificate that should be exported. On the context appearing menu, select All Tasks


http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27831516.html
1
 

Author Comment

by:Chuck Cobern
ID: 38303259
Thank You Exchange_Geek. By CAS Netbios name and CAS Fqdn, would you mean of the two CAS servers or of the CAS array (outlook.domain.com), or both?

I'm assuming at this point, I would need to revoke that certificate and then regenerate it with all the proper SAN's, import it into the first CAS, then export it via one of the method's outlined above?
0
 
LVL 33

Accepted Solution

by:
Exchange_Geek earned 2000 total points
ID: 38303974
Why not create a CAS Array and associate the cert that'll include the Array name in it?

OR if you want both the boxes to not have high availability - include in the SAN, both CAS Boxes FQDN and NETBIOS along with SRV for _autodiscover._tcp.domain.com pointing to webmail address ++ webmail.domain.com pointing to one of the CAS Servers.

That's it. Now, if you do not use one of the options above - let me explain you the consequences.

You look towards having two separate servers and not CAS Array - that'll be a dicy - and let me explain you why.

The easy way out is to have each server associated with its own CAS box, and have each CAS box with the following cert SAN:

autodiscover.domain.com
webmail.domain.com
CAS NETBIOS
CAS FQDN

All would work good, cause OL would be configured with CAS Server Name, and there would be no errors what so ever.

Problem would start when users would be moved across to another server OR if the first CAS box goes down, you'll have to repoint the mailboxes to second CAS server via DNS and shell cmd RPCClientAccessServer - however, remember CAS2 would still hold cert that belongs to itself and not CAS1 - hence OL would prompt for security alert warning stating that the cert does not hold FQDN of the respective server.

At this point, you'll have to re-issue a new cert that would then have the two CAS FQDN ++ NETBIOS - which would solve your problem eventually and by this time, you would have been cursing Exchange Product team to the core :)

Regards,
Exchange_Geek
0
 

Author Comment

by:Chuck Cobern
ID: 38305670
So if my CAS Array is outlook.domain.com, I would revoke the existing certificate and issue another one with the following:

Set-Content -path ".\webmail_company_com.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName webmail.company.com, autodiscover.company.com, outlook, outlook.company.local -PrivateKeyExportable $True)

I would need to import this certificate into CAS1, then export it with its private key and import into CAS2. Correct?
0
 
LVL 33

Expert Comment

by:Exchange_Geek
ID: 38306791
Perfect.

Regards,
Exchange_Geek
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
If you have come across a situation where you need to find some EDB mailbox recovery techniques, then here you will find the same. In this article, we will take you through three techniques using which you will be able to perform EDB recovery. You …
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses
Course of the Month20 days, 4 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question