Solved

Exchange 2010 SSL Cert Install

Posted on 2013-05-16
14
865 Views
Last Modified: 2013-07-11
Installed a 3rd party cert from godaddy into one of my exchange boxes, finally managed to get it working after the revocation errors.
Now struggling to get the cert installed into a second server.  I have exported and imported from working exchange into the other one and getting revocation errors again.

Is this the correct process or should i be creating a  cert on the new exchange box and going through the original process, CSR etc..
0
Comment
Question by:CHI-LTD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 39170753
Well technically you're meant to have one certificate per server but notwithstanding that, have you not tried running the certificate wizard from within the Exchange Management Console?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39170772
No, i did an export of the ssl cert from ex1 and did an import of that exported cert into ex2
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 39170788
http://technet.microsoft.com/en-us/library/dd351183(v=exchg.141).aspx

Having imported it, did you assign it to the relevant services?

What are the revocation errors you're seeing?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 1

Author Comment

by:CHI-LTD
ID: 39170851
I imported via EMC, then assigned services using the shell.  So IIS and SMTP assigned.
Still showing revocation.
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 39170864
But what is the actual error? Can you provide a screenshot?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39170934
I have even imported the crl file that i can download fine into the CRL folder under MMC - Certificates locally on the server..
error attached:
exch.jpg
0
 
LVL 25

Assisted Solution

by:Tony Johncock
Tony Johncock earned 333 total points
ID: 39171124
Yeah just having the CRL won't be enough, I suspect. Exchange will try to use OCSP...in a nutshell it needs to see the CA's CRL online.
0
 
LVL 8

Accepted Solution

by:
Dipak earned 167 total points
ID: 39171127
If Exchange can’t access the CRL, the certificate status is returned as RevocationCheckFailure by the shell. In EMC this is displayed as The certificate status could not be determined because the revocation check failed.

When a certificate fails a revocation check due to any of the above reasons, the EMC prevents you from assigning the certificate to any Exchange service. Note, this does not impact certificates that have already been assigned to Exchange services. The services will continue to function.

Two of the causes of this are listed as:

    # Network or proxy misconfiguration, or a firewall rule preventing Internet access
    # Intentional blocking of Internet connectivity from the server

Please go through below link which will assist you more on this issue.

http://exchangeserverpro.com/exchange-2010-certificate-revocation-checks-and-proxy-settings/
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 39171189
In other words...what I said - Exchange needs to have external access to the CRL
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39174083
Is sure does have access.  No proxy server used.  THe site has direct internet access.
I have also already followed that link to exchange server pro...  
tried certutil etc
set proxy
reset proxy
etc
etc
0
 
LVL 25

Assisted Solution

by:Tony Johncock
Tony Johncock earned 333 total points
ID: 39174090
So...from the Exchange server you can browse (via IE) to the CRL URL listed in the cert?
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39174109
Sure can.  It downloads it fine..
I have also imported this (read somewhere about doing this) but doesn't fix..
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 39252740
ideas?
firewall?
0
 
LVL 1

Author Closing Comment

by:CHI-LTD
ID: 39317145
Got here in the end.  Followed a digicert guide which worked fine.
But was sometime ago and had some firewall changes made so could have been related to this.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question