[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 956
  • Last Modified:

Exchange 2010 SSL Cert Install

Installed a 3rd party cert from godaddy into one of my exchange boxes, finally managed to get it working after the revocation errors.
Now struggling to get the cert installed into a second server.  I have exported and imported from working exchange into the other one and getting revocation errors again.

Is this the correct process or should i be creating a  cert on the new exchange box and going through the original process, CSR etc..
0
CHI-LTD
Asked:
CHI-LTD
  • 7
  • 6
3 Solutions
 
Tony JLead Technical ArchitectCommented:
Well technically you're meant to have one certificate per server but notwithstanding that, have you not tried running the certificate wizard from within the Exchange Management Console?
0
 
CHI-LTDAuthor Commented:
No, i did an export of the ssl cert from ex1 and did an import of that exported cert into ex2
0
 
Tony JLead Technical ArchitectCommented:
http://technet.microsoft.com/en-us/library/dd351183(v=exchg.141).aspx

Having imported it, did you assign it to the relevant services?

What are the revocation errors you're seeing?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
CHI-LTDAuthor Commented:
I imported via EMC, then assigned services using the shell.  So IIS and SMTP assigned.
Still showing revocation.
0
 
Tony JLead Technical ArchitectCommented:
But what is the actual error? Can you provide a screenshot?
0
 
CHI-LTDAuthor Commented:
I have even imported the crl file that i can download fine into the CRL folder under MMC - Certificates locally on the server..
error attached:
exch.jpg
0
 
Tony JLead Technical ArchitectCommented:
Yeah just having the CRL won't be enough, I suspect. Exchange will try to use OCSP...in a nutshell it needs to see the CA's CRL online.
0
 
DipakCommented:
If Exchange can’t access the CRL, the certificate status is returned as RevocationCheckFailure by the shell. In EMC this is displayed as The certificate status could not be determined because the revocation check failed.

When a certificate fails a revocation check due to any of the above reasons, the EMC prevents you from assigning the certificate to any Exchange service. Note, this does not impact certificates that have already been assigned to Exchange services. The services will continue to function.

Two of the causes of this are listed as:

    # Network or proxy misconfiguration, or a firewall rule preventing Internet access
    # Intentional blocking of Internet connectivity from the server

Please go through below link which will assist you more on this issue.

http://exchangeserverpro.com/exchange-2010-certificate-revocation-checks-and-proxy-settings/
0
 
Tony JLead Technical ArchitectCommented:
In other words...what I said - Exchange needs to have external access to the CRL
0
 
CHI-LTDAuthor Commented:
Is sure does have access.  No proxy server used.  THe site has direct internet access.
I have also already followed that link to exchange server pro...  
tried certutil etc
set proxy
reset proxy
etc
etc
0
 
Tony JLead Technical ArchitectCommented:
So...from the Exchange server you can browse (via IE) to the CRL URL listed in the cert?
0
 
CHI-LTDAuthor Commented:
Sure can.  It downloads it fine..
I have also imported this (read somewhere about doing this) but doesn't fix..
0
 
CHI-LTDAuthor Commented:
ideas?
firewall?
0
 
CHI-LTDAuthor Commented:
Got here in the end.  Followed a digicert guide which worked fine.
But was sometime ago and had some firewall changes made so could have been related to this.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now