Link to home
Create AccountLog in
Avatar of Yashy
YashyFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Exchange 2010 certificat expired. Shall I recreate one in Exchange or buy one?

hi guys

the exchange 2010 certificate on our server has expired. I'm looking into sorting this out, howver it is urgent.

The company is big, but I don't know if they bought the certificate or created in Exchange itself? Does it make a difference?

Shall I just follow commands to recreate the thumbprint for later expiration or should I purchase one?

Thank you
Yash
Avatar of coolsport00
coolsport00
Flag of United States of America image

If 2010 mirrors 2007 for certs, you should generate one in the Shell to submit to a trusted 3rd party. That is MS's best practice (not to use default cert). It's not too bad. I'm no cert wizard by any means & was able to pull it off :)

Regards,
~coolsport00
Avatar of Stelian Stan
You need to buy a new certificate from such as https://www.securepaynet.net/ssl/ssl-certificates.aspx?ci=53341&prog_id=417826/

To generate the CSR use the wizard from Exchange Management Console. You will need at least two names in the certificate - mail.domain.com and autodiscover.domain.com. For the names just check your actual certificate.
Avatar of Yashy

ASKER

how do I find out what sort of certificate has already been installed? How do I found out the name of the certificate and all of the options selected etc for the certificate and all of the names given to it? I don't want to mess it up. I merely want to renew it using precisely the same configurations as before?
ASKER CERTIFIED SOLUTION
Avatar of Jim Millard
Jim Millard
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of Yashy

ASKER

I've just viewed the certificate and it was issued by a company called 'Entrust'. I tried going through Comodo and they said 'You should get it renewed by the same provider'.


is this true? Can I not just renew this with a new provider if I can't do it through the previously used provider?
You should be able to change the provider.
There's no technical reason you can't renew; they might prefer that the CSR be generated as a new request instead of a renewal, but that's process, not technical.
There is a non-technical side to it; some folks consider a site jumping from one CA to another as a sign of either instability or possible compromise. For your problem, it shouldn't matter: you're doing this for your local users to have a secure connection (presumably to mobile devices).
Avatar of Yashy

ASKER

Okay, well now that I about to create a new certificate, I'm a little stuck as to what to choose when I get to the section for Hub Transport, Unified Messaging Server and the Legacy Exchange server.

How can I tell if previously, these options were selected or not?
The wizard is trying to determine if you need more "Subject Alternative Name" entries in addition to the typical mail.domain.com and autodiscover.domain.com.

If you don't have unified messaging, leave it unchecked. If you don't have an old Exchange 2003 server hanging around, leave Legacy unchecked.

If all 3 "regular" roles are assigned to the one server (Client Access, Hub Transport, Mailbox) then check Hub Transport.

If they aren't but you plan to share the certificate among other servers in the group—eg, Hub Transport is on a different server, but you don't intend to buy another cert for it—check Hub Transport.
Avatar of Yashy

ASKER

We have an old exchange 2000 system in co existence. So I'm assuming that I have to select Legacy?

But when I looked up the DNS names of the current certificate, there was no Legacy ones in there.
"legacy.mydomain.com" isn't a requirement, but does help with certain types of redirection. If the old cert doesn't have it, then you will probably be fine.
Avatar of Yashy

ASKER

I'm about to buy the certificate, but before I do I want to double check some things.

For example, I didn't know if we areusing for the Hub transport something called 'Mutual TLS'. So I went into our Exchange and selected the Hub transport. I right clicked on all of the clients setup in there and went to Properties->Authentication. The mutual TLS for domain security was unchecked. So from that, I realised I don't need this particular part of the certificate. This method was correct, right?
Avatar of Yashy

ASKER

Basically, I'm sometimes confused as to which parts to select and which not whilst in the wizard in Exchange.

Is there a way I can make it precisely as the previous certificate by looking somewhere? Is there somewhere that shows 'Mutual TLS' was selected before and the same goes for the rest. There must be somewhere I can find this information to just duplicate the same settings without worrying if I have missed out something?
Avatar of Yashy

ASKER

I used the Digicert's utility to do this. So much easier. However, now that I have purchased it i have a confirmation order but nothing sent to my mailbox with the new certificates. Does this usually take time?
Yes. It takes some time.
Avatar of Yashy

ASKER

I used this link:

http://www.digicert.com/util/ssl-certificate-renewal-using-digicert-utility-exchange-2010.htm

However, I used the Digicert file created and used another provider Comodo to order it. I'm assuming I can still use the certificate from Comodo and continue with it as shown in the link?
That should be good.