Exchange 2010 SAN Cert Question

Hello,

I have a couple of Exchange 2010 servers on which someone else created the SAN cert.  I need to create a new cert with the same original settings so the cert can be re-keyed by GoDaddy (I simply renewed the existing cert when I needed to renew it, but now, for security reasons, it needs to be re-keyed by GoDaddy).  What is the easiest way to determine all the settings that were used to create the original SAN cert?
hwest123Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

R--RCommented:
Note the SAN entries of the existing certificate and create a new CSR.
0
hwest123Author Commented:
Thanks for your reply.  I had previously looked at the subject alternative names in the cert and they are:

owa.companyname.org
www.owa.companyname.org
autodiscover.companyname.org
legacy.companyname.org
companyname.org

All of these are internet-side DNS names (none are the internal network names) and this purchased cert is on both exchange servers (we have only 2 Exchange servers and they both run all the Exchange roles we run).  There is a second cert on each Exchange server that is a self-signed one and the only service assigned to these self-signed certs is SMTP, so it looks like the person who set this up believed it was okay to use a self-signed cert on the internal network.  The subject alternative names on the first Exchange server are:

exchange1
exchange1.internaldomainname.com

and the subject alternative names on the second Exchange server

exchange2
exchange2.internaldomainname.com

So, my issue is I'm not sure which names go in which fields when I use the SAN cert wizard to generate a new Exchange cert and I'm not completely sure which boxes were checked and which were not and that's my issue (sorry, should fleshed things out more fully in the original post).

I am using he following article as my guide: http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/

In the cert wizard, where it says Outlook Web App under Client Access Server, I'm not sure if I should check both the Outlook Web App is on the intranet box and also the Outlook Web App is on the Internet boxes or just the Outlook Web App is on the Internet box, alone.  Internally, we only use Outlook (not OWA), so I'm thinking the first box can be unchecked?

Next, where it has the Exchange Active Sync is enabled, I'll just enter owa.companyname.org (our internet-based name).  Where it says client Access Server (Web Services, Outlook Anywhere, and Autodiscover), I know we don't use Outlook Anywhere, but I'm not sure what Exchange Web Services is referring to.  Are these the web services required for OWA access?
If so, I'll check that and go with the internet name owa.companyname.org.

For the Hub Transport Server, I'm not sure if the Use mutual TLS to help secure Internet mail should be checked or not (I'm guessing so, but not sure how it was originally set or if there is any way to see what this setting is currently).  Also, if that box was checked, I suppose I should not enter the local host name here, but the internet host name, since that appears all this cert had in it--internet-side dns names.  Correct?
0
Simon Butler (Sembee)ConsultantCommented:
The "www.owa.companyname.org" was put in there by GoDaddy. They do that automatically.

The host names you enter in to the wizard don't matter - so you can ignore most of the options. You just want to get to the last screen where you can manipulate the results manually. That will allow you to change the common name to owa.companyname.org and add in any others.

Exchange will use self signed certificates internally and for some SMTP traffic. That is fine. What you cannot do is include any internal names on the request - so server.example.local - those aren't allowed on certificates that expire after November 2015.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hwest123Author Commented:
Thanks, Simon.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.