Solved

SSL certificates questions

Posted on 2013-05-22
9
335 Views
Last Modified: 2013-06-01
I have a couple of questions on SSL certificates and would be grateful for any answers.

Can a certificate be revoked (so that the name becomes available again) once it has been cancelled or expired?

As it had expired on an old SBS 2003 server we renamed it from remote.domain.com to remote2.domain.com and created the certificate, but we can only get into OWA using https://remote.domain.com/exchange and it comes up with a certificate error and displays the new certificate. I thought we would have been able to go in with https://remote2.domain.com/exchange?
0
Comment
Question by:carolinems
9 Comments
 

Author Comment

by:carolinems
ID: 39187179
I've added to Cname in the DNS to point remote2.domain.com to remote.domain.com.

I may take a while for this to update.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39189317
Are you still running SBS 2003 or have you moved to SBS 2011
Are you using a trusted 3rd party cert or the built in cert?
0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 39189325
Can a certificate be revoked (so that the name becomes available again) once it has been cancelled or expired? <-- you don't revoke an cancelled and expire certificate

but you can have multiple of the same certificate name without any problem
the thumbnail id which is the different every time you create a new certificate (regardless what your name called)

===========
If you confirm you cna browse to https://remote2.domain.com/, then it is not an IIS issues.
if it redirect you back to https://remote.domain.com/ then you know it is clearly an exchange issue, if you are using SBS, you need to rerun CEIEW
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 38

Expert Comment

by:Philip Elder
ID: 39189382
The Configure E-mail and Internet Connectivity Wizard (CEICW) creates/manages the self-issued certificate in SBS 2003.

Run the wizard on remote.domain.com since your DNS seems to point there. Then the certificate name will match though clients will still get a warning due to the cert being self-issued.

You can get an inexpensive GoDaddy certificate and use the Official SBS Blog method to create the CSR in IIS, import the cert, and install it.
Official SBS Blog: http://bit.ly/Z0KpRa

Philip
0
 
LVL 63

Expert Comment

by:btan
ID: 39189597
Expired certificate can be renewed but not for revoked certificate to be reused though it does not stop you from having the same CN - the system is checking on the serial # and thumbprint of that cert in the CA CRL issued. You need to run the Add a Trusted Certificate wizard to renew the certificate. I rather not change the CN name unnecessarily

http://blogs.technet.com/b/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx
http://blog.kazmarek.com/2010/11/17/renew-ssl-self-signed-certificate-in-sbs-2008/

This link is for troubleshooting cert issue using Certificate Cmdlets
http://technet.microsoft.com/en-us/library/bb331963.aspx

Fields used by certificates for tls services
http://technet.microsoft.com/en-us/library/aa998840.aspx#field

For TLS, certificates must contain DNS names because the TLS relies on DNS resolution. Clients verify the DNS name of the server to which they are connecting with the DNS name that they expect to be connecting to. This is true for Web browsers that connect to a Web site over HTTPS and for SMTP servers that transmit e-mail over the Internet or intranet. When a TLS connection is established, if the client finds the name that it is looking for, the client ignores the other names in the certificate. Multiple domain and server names can be added to the Subject Alternative Name field of a TLS certificate. You can create a certificate that contains multiple Subject Alternative Names by using the DomainName parameter of the New-ExchangeCertificate cmdlet. The DomainName parameter is multivalued so that it can accept multiple names.
0
 

Accepted Solution

by:
carolinems earned 0 total points
ID: 39190514
Thanks for your answers - I managed to get the details on the old certificate and revoke it.

I deleted the cname and created a new A record for remote2 and that did the trick.
0
 
LVL 63

Expert Comment

by:btan
ID: 39190704
Thanks for the update :)
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 39191211
you don't need to revoke a certificate to get a new certificate with the same name
0
 

Author Closing Comment

by:carolinems
ID: 39212614
I managed to resolve the issue from other sources before I received any replies.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to install and use the NTBackup utility that comes with Windows Server.
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question