Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SSL certificates questions

Posted on 2013-05-22
9
Medium Priority
?
339 Views
Last Modified: 2013-06-01
I have a couple of questions on SSL certificates and would be grateful for any answers.

Can a certificate be revoked (so that the name becomes available again) once it has been cancelled or expired?

As it had expired on an old SBS 2003 server we renamed it from remote.domain.com to remote2.domain.com and created the certificate, but we can only get into OWA using https://remote.domain.com/exchange and it comes up with a certificate error and displays the new certificate. I thought we would have been able to go in with https://remote2.domain.com/exchange?
0
Comment
Question by:carolinems
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 

Author Comment

by:carolinems
ID: 39187179
I've added to Cname in the DNS to point remote2.domain.com to remote.domain.com.

I may take a while for this to update.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39189317
Are you still running SBS 2003 or have you moved to SBS 2011
Are you using a trusted 3rd party cert or the built in cert?
0
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39189325
Can a certificate be revoked (so that the name becomes available again) once it has been cancelled or expired? <-- you don't revoke an cancelled and expire certificate

but you can have multiple of the same certificate name without any problem
the thumbnail id which is the different every time you create a new certificate (regardless what your name called)

===========
If you confirm you cna browse to https://remote2.domain.com/, then it is not an IIS issues.
if it redirect you back to https://remote.domain.com/ then you know it is clearly an exchange issue, if you are using SBS, you need to rerun CEIEW
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 39

Expert Comment

by:Philip Elder
ID: 39189382
The Configure E-mail and Internet Connectivity Wizard (CEICW) creates/manages the self-issued certificate in SBS 2003.

Run the wizard on remote.domain.com since your DNS seems to point there. Then the certificate name will match though clients will still get a warning due to the cert being self-issued.

You can get an inexpensive GoDaddy certificate and use the Official SBS Blog method to create the CSR in IIS, import the cert, and install it.
Official SBS Blog: http://bit.ly/Z0KpRa

Philip
0
 
LVL 64

Expert Comment

by:btan
ID: 39189597
Expired certificate can be renewed but not for revoked certificate to be reused though it does not stop you from having the same CN - the system is checking on the serial # and thumbprint of that cert in the CA CRL issued. You need to run the Add a Trusted Certificate wizard to renew the certificate. I rather not change the CN name unnecessarily

http://blogs.technet.com/b/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx
http://blog.kazmarek.com/2010/11/17/renew-ssl-self-signed-certificate-in-sbs-2008/

This link is for troubleshooting cert issue using Certificate Cmdlets
http://technet.microsoft.com/en-us/library/bb331963.aspx

Fields used by certificates for tls services
http://technet.microsoft.com/en-us/library/aa998840.aspx#field

For TLS, certificates must contain DNS names because the TLS relies on DNS resolution. Clients verify the DNS name of the server to which they are connecting with the DNS name that they expect to be connecting to. This is true for Web browsers that connect to a Web site over HTTPS and for SMTP servers that transmit e-mail over the Internet or intranet. When a TLS connection is established, if the client finds the name that it is looking for, the client ignores the other names in the certificate. Multiple domain and server names can be added to the Subject Alternative Name field of a TLS certificate. You can create a certificate that contains multiple Subject Alternative Names by using the DomainName parameter of the New-ExchangeCertificate cmdlet. The DomainName parameter is multivalued so that it can accept multiple names.
0
 

Accepted Solution

by:
carolinems earned 0 total points
ID: 39190514
Thanks for your answers - I managed to get the details on the old certificate and revoke it.

I deleted the cname and created a new A record for remote2 and that did the trick.
0
 
LVL 64

Expert Comment

by:btan
ID: 39190704
Thanks for the update :)
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 39191211
you don't need to revoke a certificate to get a new certificate with the same name
0
 

Author Closing Comment

by:carolinems
ID: 39212614
I managed to resolve the issue from other sources before I received any replies.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question