Link to home
Start Free TrialLog in
Avatar of carolinems
carolinems

asked on

SSL certificates questions

I have a couple of questions on SSL certificates and would be grateful for any answers.

Can a certificate be revoked (so that the name becomes available again) once it has been cancelled or expired?

As it had expired on an old SBS 2003 server we renamed it from remote.domain.com to remote2.domain.com and created the certificate, but we can only get into OWA using https://remote.domain.com/exchange and it comes up with a certificate error and displays the new certificate. I thought we would have been able to go in with https://remote2.domain.com/exchange?
Avatar of carolinems
carolinems

ASKER

I've added to Cname in the DNS to point remote2.domain.com to remote.domain.com.

I may take a while for this to update.
Avatar of Cris Hanna
Are you still running SBS 2003 or have you moved to SBS 2011
Are you using a trusted 3rd party cert or the built in cert?
Can a certificate be revoked (so that the name becomes available again) once it has been cancelled or expired? <-- you don't revoke an cancelled and expire certificate

but you can have multiple of the same certificate name without any problem
the thumbnail id which is the different every time you create a new certificate (regardless what your name called)

===========
If you confirm you cna browse to https://remote2.domain.com/, then it is not an IIS issues.
if it redirect you back to https://remote.domain.com/ then you know it is clearly an exchange issue, if you are using SBS, you need to rerun CEIEW
The Configure E-mail and Internet Connectivity Wizard (CEICW) creates/manages the self-issued certificate in SBS 2003.

Run the wizard on remote.domain.com since your DNS seems to point there. Then the certificate name will match though clients will still get a warning due to the cert being self-issued.

You can get an inexpensive GoDaddy certificate and use the Official SBS Blog method to create the CSR in IIS, import the cert, and install it.
Official SBS Blog: http://bit.ly/Z0KpRa

Philip
Expired certificate can be renewed but not for revoked certificate to be reused though it does not stop you from having the same CN - the system is checking on the serial # and thumbprint of that cert in the CA CRL issued. You need to run the Add a Trusted Certificate wizard to renew the certificate. I rather not change the CN name unnecessarily

http://blogs.technet.com/b/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx
http://blog.kazmarek.com/2010/11/17/renew-ssl-self-signed-certificate-in-sbs-2008/

This link is for troubleshooting cert issue using Certificate Cmdlets
http://technet.microsoft.com/en-us/library/bb331963.aspx

Fields used by certificates for tls services
http://technet.microsoft.com/en-us/library/aa998840.aspx#field

For TLS, certificates must contain DNS names because the TLS relies on DNS resolution. Clients verify the DNS name of the server to which they are connecting with the DNS name that they expect to be connecting to. This is true for Web browsers that connect to a Web site over HTTPS and for SMTP servers that transmit e-mail over the Internet or intranet. When a TLS connection is established, if the client finds the name that it is looking for, the client ignores the other names in the certificate. Multiple domain and server names can be added to the Subject Alternative Name field of a TLS certificate. You can create a certificate that contains multiple Subject Alternative Names by using the DomainName parameter of the New-ExchangeCertificate cmdlet. The DomainName parameter is multivalued so that it can accept multiple names.
ASKER CERTIFIED SOLUTION
Avatar of carolinems
carolinems

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the update :)
you don't need to revoke a certificate to get a new certificate with the same name
I managed to resolve the issue from other sources before I received any replies.