Yashy
asked on
Exchange 2010 certificat expired. Shall I recreate one in Exchange or buy one?
hi guys
the exchange 2010 certificate on our server has expired. I'm looking into sorting this out, howver it is urgent.
The company is big, but I don't know if they bought the certificate or created in Exchange itself? Does it make a difference?
Shall I just follow commands to recreate the thumbprint for later expiration or should I purchase one?
Thank you
Yash
the exchange 2010 certificate on our server has expired. I'm looking into sorting this out, howver it is urgent.
The company is big, but I don't know if they bought the certificate or created in Exchange itself? Does it make a difference?
Shall I just follow commands to recreate the thumbprint for later expiration or should I purchase one?
Thank you
Yash
You need to buy a new certificate from such as https://www.securepaynet.net/ssl/ssl-certificates.aspx?ci=53341&prog_id=417826/
To generate the CSR use the wizard from Exchange Management Console. You will need at least two names in the certificate - mail.domain.com and autodiscover.domain.com. For the names just check your actual certificate.
To generate the CSR use the wizard from Exchange Management Console. You will need at least two names in the certificate - mail.domain.com and autodiscover.domain.com. For the names just check your actual certificate.
ASKER
how do I find out what sort of certificate has already been installed? How do I found out the name of the certificate and all of the options selected etc for the certificate and all of the names given to it? I don't want to mess it up. I merely want to renew it using precisely the same configurations as before?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I've just viewed the certificate and it was issued by a company called 'Entrust'. I tried going through Comodo and they said 'You should get it renewed by the same provider'.
is this true? Can I not just renew this with a new provider if I can't do it through the previously used provider?
is this true? Can I not just renew this with a new provider if I can't do it through the previously used provider?
You should be able to change the provider.
There's no technical reason you can't renew; they might prefer that the CSR be generated as a new request instead of a renewal, but that's process, not technical.
There is a non-technical side to it; some folks consider a site jumping from one CA to another as a sign of either instability or possible compromise. For your problem, it shouldn't matter: you're doing this for your local users to have a secure connection (presumably to mobile devices).
There is a non-technical side to it; some folks consider a site jumping from one CA to another as a sign of either instability or possible compromise. For your problem, it shouldn't matter: you're doing this for your local users to have a secure connection (presumably to mobile devices).
ASKER
Okay, well now that I about to create a new certificate, I'm a little stuck as to what to choose when I get to the section for Hub Transport, Unified Messaging Server and the Legacy Exchange server.
How can I tell if previously, these options were selected or not?
How can I tell if previously, these options were selected or not?
The wizard is trying to determine if you need more "Subject Alternative Name" entries in addition to the typical mail.domain.com and autodiscover.domain.com.
If you don't have unified messaging, leave it unchecked. If you don't have an old Exchange 2003 server hanging around, leave Legacy unchecked.
If all 3 "regular" roles are assigned to the one server (Client Access, Hub Transport, Mailbox) then check Hub Transport.
If they aren't but you plan to share the certificate among other servers in the group—eg, Hub Transport is on a different server, but you don't intend to buy another cert for it—check Hub Transport.
If you don't have unified messaging, leave it unchecked. If you don't have an old Exchange 2003 server hanging around, leave Legacy unchecked.
If all 3 "regular" roles are assigned to the one server (Client Access, Hub Transport, Mailbox) then check Hub Transport.
If they aren't but you plan to share the certificate among other servers in the group—eg, Hub Transport is on a different server, but you don't intend to buy another cert for it—check Hub Transport.
ASKER
We have an old exchange 2000 system in co existence. So I'm assuming that I have to select Legacy?
But when I looked up the DNS names of the current certificate, there was no Legacy ones in there.
But when I looked up the DNS names of the current certificate, there was no Legacy ones in there.
"legacy.mydomain.com" isn't a requirement, but does help with certain types of redirection. If the old cert doesn't have it, then you will probably be fine.
ASKER
I'm about to buy the certificate, but before I do I want to double check some things.
For example, I didn't know if we areusing for the Hub transport something called 'Mutual TLS'. So I went into our Exchange and selected the Hub transport. I right clicked on all of the clients setup in there and went to Properties->Authentication . The mutual TLS for domain security was unchecked. So from that, I realised I don't need this particular part of the certificate. This method was correct, right?
For example, I didn't know if we areusing for the Hub transport something called 'Mutual TLS'. So I went into our Exchange and selected the Hub transport. I right clicked on all of the clients setup in there and went to Properties->Authentication
ASKER
Basically, I'm sometimes confused as to which parts to select and which not whilst in the wizard in Exchange.
Is there a way I can make it precisely as the previous certificate by looking somewhere? Is there somewhere that shows 'Mutual TLS' was selected before and the same goes for the rest. There must be somewhere I can find this information to just duplicate the same settings without worrying if I have missed out something?
Is there a way I can make it precisely as the previous certificate by looking somewhere? Is there somewhere that shows 'Mutual TLS' was selected before and the same goes for the rest. There must be somewhere I can find this information to just duplicate the same settings without worrying if I have missed out something?
ASKER
I used the Digicert's utility to do this. So much easier. However, now that I have purchased it i have a confirmation order but nothing sent to my mailbox with the new certificates. Does this usually take time?
Yes. It takes some time.
ASKER
I used this link:
http://www.digicert.com/util/ssl-certificate-renewal-using-digicert-utility-exchange-2010.htm
However, I used the Digicert file created and used another provider Comodo to order it. I'm assuming I can still use the certificate from Comodo and continue with it as shown in the link?
http://www.digicert.com/util/ssl-certificate-renewal-using-digicert-utility-exchange-2010.htm
However, I used the Digicert file created and used another provider Comodo to order it. I'm assuming I can still use the certificate from Comodo and continue with it as shown in the link?
That should be good.
Regards,
~coolsport00