Chuck Cobern
asked on
SSL Cert for multiple CAS
I upgrading an Exchange 2003 environment to 2010. What I currently have is:
2 CAS/HT Server - HUBCAS-01.domain.local; HUBAS-02.domain.local
1 Mailbox Server - MBX-01.domain.local
I have created a CAS array by using New-ClientAccessArray -Fqdn "outlook.domain.local" -Site "Default Site". I have also created a DNS A record that points to a VIP of a hardware load balancer we will be installing.
From HUBCAS-01, I issued a cert request using:
Set-Content -path ".\webmail_company_com.txt " -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName autodiscover.company.com -PrivateKeyExportable $True)
After downloading my certificate, I logged into HUBCAS-01, went into MMC and imported the intermediate certificate, and then from EMC, right-clicked the certificate and selected "Complete Pending Request" and selected my new certificate. I then assigned SMTP and IIS services to the certificate.
My question is, how do I get that same certificate into HUBCAS-02, since I did not generate that certificate from that server? And how does that work with the CAS Array?
2 CAS/HT Server - HUBCAS-01.domain.local; HUBAS-02.domain.local
1 Mailbox Server - MBX-01.domain.local
I have created a CAS array by using New-ClientAccessArray -Fqdn "outlook.domain.local" -Site "Default Site". I have also created a DNS A record that points to a VIP of a hardware load balancer we will be installing.
From HUBCAS-01, I issued a cert request using:
Set-Content -path ".\webmail_company_com.txt
After downloading my certificate, I logged into HUBCAS-01, went into MMC and imported the intermediate certificate, and then from EMC, right-clicked the certificate and selected "Complete Pending Request" and selected my new certificate. I then assigned SMTP and IIS services to the certificate.
My question is, how do I get that same certificate into HUBCAS-02, since I did not generate that certificate from that server? And how does that work with the CAS Array?
On the server from which you generated the cert, you must export the cert including the private key. Once you have that file, it can be imported into the private machine store on the second machine.
ASKER
Would using the example at the bottom of this article be the correct way?
http://technet.microsoft.com/en-us/library/aa996305.aspx
http://technet.microsoft.com/en-us/library/aa996305.aspx
That looks like a valid PS method.
My friend you've issued wrong cmdlet.
Here is what you wrote and mentioned below is the corrected entry
Set-Content -path ".\webmail_company_com.txt " -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName autodiscover.company.com -PrivateKeyExportable $True)
Set-Content -path ".\webmail_company_com.txt " -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName autodiscover.company.com, webmail.company.com, CAS NETBIOS NAME, CAS FQDN -PrivateKeyExportable $True)
Understand if you do not add these names to the cert - you would receive a security alert while working in OL cause you're server name is essential along with your webmail FQDN.
Regards,
Exchange_Geek
Here is what you wrote and mentioned below is the corrected entry
Set-Content -path ".\webmail_company_com.txt
Set-Content -path ".\webmail_company_com.txt
Understand if you do not add these names to the cert - you would receive a security alert while working in OL cause you're server name is essential along with your webmail FQDN.
Regards,
Exchange_Geek
Importing and Enabling the SAN SSL certificate on the Second Client Access Server in the NLB Cluster
https://www.experts-exchange.com/questions/27831516/SSL-Cert-for-multiple-CAS.html
To import the SAN certificate on the second Client Access server in the NLB cluster, we first need to export it from the first Client Access server. When doing so, we need to make sure we export the certificate with its private key. This is done by opening the Certificates snap-in. To open the Certicates snap-in, click Start > Run and type mmc.exe to first open an empty MMC window. Now click File > Add/Remove Snap-in > Add > Select Certificates > Click Add > Select Computer Account > Click Next > Finish > Close and finally OK. Expand Certificates (Local Computer) > Personal, then right-click on the certificate that should be exported. On the context appearing menu, select All Tasks
https://www.experts-exchange.com/questions/27831516/SSL-Cert-for-multiple-CAS.html
ASKER
Thank You Exchange_Geek. By CAS Netbios name and CAS Fqdn, would you mean of the two CAS servers or of the CAS array (outlook.domain.com), or both?
I'm assuming at this point, I would need to revoke that certificate and then regenerate it with all the proper SAN's, import it into the first CAS, then export it via one of the method's outlined above?
I'm assuming at this point, I would need to revoke that certificate and then regenerate it with all the proper SAN's, import it into the first CAS, then export it via one of the method's outlined above?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So if my CAS Array is outlook.domain.com, I would revoke the existing certificate and issue another one with the following:
Set-Content -path ".\webmail_company_com.txt " -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName webmail.company.com, autodiscover.company.com, outlook, outlook.company.local -PrivateKeyExportable $True)
I would need to import this certificate into CAS1, then export it with its private key and import into CAS2. Correct?
Set-Content -path ".\webmail_company_com.txt
I would need to import this certificate into CAS1, then export it with its private key and import into CAS2. Correct?
Perfect.
Regards,
Exchange_Geek
Regards,
Exchange_Geek