Solved

SSL certificates questions

Posted on 2013-05-22
9
338 Views
Last Modified: 2013-06-01
I have a couple of questions on SSL certificates and would be grateful for any answers.

Can a certificate be revoked (so that the name becomes available again) once it has been cancelled or expired?

As it had expired on an old SBS 2003 server we renamed it from remote.domain.com to remote2.domain.com and created the certificate, but we can only get into OWA using https://remote.domain.com/exchange and it comes up with a certificate error and displays the new certificate. I thought we would have been able to go in with https://remote2.domain.com/exchange?
0
Comment
Question by:carolinems
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 

Author Comment

by:carolinems
ID: 39187179
I've added to Cname in the DNS to point remote2.domain.com to remote.domain.com.

I may take a while for this to update.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39189317
Are you still running SBS 2003 or have you moved to SBS 2011
Are you using a trusted 3rd party cert or the built in cert?
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39189325
Can a certificate be revoked (so that the name becomes available again) once it has been cancelled or expired? <-- you don't revoke an cancelled and expire certificate

but you can have multiple of the same certificate name without any problem
the thumbnail id which is the different every time you create a new certificate (regardless what your name called)

===========
If you confirm you cna browse to https://remote2.domain.com/, then it is not an IIS issues.
if it redirect you back to https://remote.domain.com/ then you know it is clearly an exchange issue, if you are using SBS, you need to rerun CEIEW
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 39

Expert Comment

by:Philip Elder
ID: 39189382
The Configure E-mail and Internet Connectivity Wizard (CEICW) creates/manages the self-issued certificate in SBS 2003.

Run the wizard on remote.domain.com since your DNS seems to point there. Then the certificate name will match though clients will still get a warning due to the cert being self-issued.

You can get an inexpensive GoDaddy certificate and use the Official SBS Blog method to create the CSR in IIS, import the cert, and install it.
Official SBS Blog: http://bit.ly/Z0KpRa

Philip
0
 
LVL 64

Expert Comment

by:btan
ID: 39189597
Expired certificate can be renewed but not for revoked certificate to be reused though it does not stop you from having the same CN - the system is checking on the serial # and thumbprint of that cert in the CA CRL issued. You need to run the Add a Trusted Certificate wizard to renew the certificate. I rather not change the CN name unnecessarily

http://blogs.technet.com/b/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx
http://blog.kazmarek.com/2010/11/17/renew-ssl-self-signed-certificate-in-sbs-2008/

This link is for troubleshooting cert issue using Certificate Cmdlets
http://technet.microsoft.com/en-us/library/bb331963.aspx

Fields used by certificates for tls services
http://technet.microsoft.com/en-us/library/aa998840.aspx#field

For TLS, certificates must contain DNS names because the TLS relies on DNS resolution. Clients verify the DNS name of the server to which they are connecting with the DNS name that they expect to be connecting to. This is true for Web browsers that connect to a Web site over HTTPS and for SMTP servers that transmit e-mail over the Internet or intranet. When a TLS connection is established, if the client finds the name that it is looking for, the client ignores the other names in the certificate. Multiple domain and server names can be added to the Subject Alternative Name field of a TLS certificate. You can create a certificate that contains multiple Subject Alternative Names by using the DomainName parameter of the New-ExchangeCertificate cmdlet. The DomainName parameter is multivalued so that it can accept multiple names.
0
 

Accepted Solution

by:
carolinems earned 0 total points
ID: 39190514
Thanks for your answers - I managed to get the details on the old certificate and revoke it.

I deleted the cname and created a new A record for remote2 and that did the trick.
0
 
LVL 64

Expert Comment

by:btan
ID: 39190704
Thanks for the update :)
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 39191211
you don't need to revoke a certificate to get a new certificate with the same name
0
 

Author Closing Comment

by:carolinems
ID: 39212614
I managed to resolve the issue from other sources before I received any replies.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question