Solved

SSL certificates questions

Posted on 2013-05-22
9
332 Views
Last Modified: 2013-06-01
I have a couple of questions on SSL certificates and would be grateful for any answers.

Can a certificate be revoked (so that the name becomes available again) once it has been cancelled or expired?

As it had expired on an old SBS 2003 server we renamed it from remote.domain.com to remote2.domain.com and created the certificate, but we can only get into OWA using https://remote.domain.com/exchange and it comes up with a certificate error and displays the new certificate. I thought we would have been able to go in with https://remote2.domain.com/exchange?
0
Comment
Question by:carolinems
9 Comments
 

Author Comment

by:carolinems
ID: 39187179
I've added to Cname in the DNS to point remote2.domain.com to remote.domain.com.

I may take a while for this to update.
0
 
LVL 35

Expert Comment

by:Cris Hanna
ID: 39189317
Are you still running SBS 2003 or have you moved to SBS 2011
Are you using a trusted 3rd party cert or the built in cert?
0
 
LVL 36

Expert Comment

by:Jian An Lim
ID: 39189325
Can a certificate be revoked (so that the name becomes available again) once it has been cancelled or expired? <-- you don't revoke an cancelled and expire certificate

but you can have multiple of the same certificate name without any problem
the thumbnail id which is the different every time you create a new certificate (regardless what your name called)

===========
If you confirm you cna browse to https://remote2.domain.com/, then it is not an IIS issues.
if it redirect you back to https://remote.domain.com/ then you know it is clearly an exchange issue, if you are using SBS, you need to rerun CEIEW
0
 
LVL 38

Expert Comment

by:Philip Elder
ID: 39189382
The Configure E-mail and Internet Connectivity Wizard (CEICW) creates/manages the self-issued certificate in SBS 2003.

Run the wizard on remote.domain.com since your DNS seems to point there. Then the certificate name will match though clients will still get a warning due to the cert being self-issued.

You can get an inexpensive GoDaddy certificate and use the Official SBS Blog method to create the CSR in IIS, import the cert, and install it.
Official SBS Blog: http://bit.ly/Z0KpRa

Philip
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 62

Expert Comment

by:btan
ID: 39189597
Expired certificate can be renewed but not for revoked certificate to be reused though it does not stop you from having the same CN - the system is checking on the serial # and thumbprint of that cert in the CA CRL issued. You need to run the Add a Trusted Certificate wizard to renew the certificate. I rather not change the CN name unnecessarily

http://blogs.technet.com/b/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx
http://blog.kazmarek.com/2010/11/17/renew-ssl-self-signed-certificate-in-sbs-2008/

This link is for troubleshooting cert issue using Certificate Cmdlets
http://technet.microsoft.com/en-us/library/bb331963.aspx

Fields used by certificates for tls services
http://technet.microsoft.com/en-us/library/aa998840.aspx#field

For TLS, certificates must contain DNS names because the TLS relies on DNS resolution. Clients verify the DNS name of the server to which they are connecting with the DNS name that they expect to be connecting to. This is true for Web browsers that connect to a Web site over HTTPS and for SMTP servers that transmit e-mail over the Internet or intranet. When a TLS connection is established, if the client finds the name that it is looking for, the client ignores the other names in the certificate. Multiple domain and server names can be added to the Subject Alternative Name field of a TLS certificate. You can create a certificate that contains multiple Subject Alternative Names by using the DomainName parameter of the New-ExchangeCertificate cmdlet. The DomainName parameter is multivalued so that it can accept multiple names.
0
 

Accepted Solution

by:
carolinems earned 0 total points
ID: 39190514
Thanks for your answers - I managed to get the details on the old certificate and revoke it.

I deleted the cname and created a new A record for remote2 and that did the trick.
0
 
LVL 62

Expert Comment

by:btan
ID: 39190704
Thanks for the update :)
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 39191211
you don't need to revoke a certificate to get a new certificate with the same name
0
 

Author Closing Comment

by:carolinems
ID: 39212614
I managed to resolve the issue from other sources before I received any replies.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
how to add IIS SMTP to handle application/Scanner relays into office 365.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now