• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 331
  • Last Modified:

Exchange 2010 SAN Cert Question


I have a couple of Exchange 2010 servers on which someone else created the SAN cert.  I need to create a new cert with the same original settings so the cert can be re-keyed by GoDaddy (I simply renewed the existing cert when I needed to renew it, but now, for security reasons, it needs to be re-keyed by GoDaddy).  What is the easiest way to determine all the settings that were used to create the original SAN cert?
  • 2
1 Solution
Note the SAN entries of the existing certificate and create a new CSR.
hwest123Author Commented:
Thanks for your reply.  I had previously looked at the subject alternative names in the cert and they are:


All of these are internet-side DNS names (none are the internal network names) and this purchased cert is on both exchange servers (we have only 2 Exchange servers and they both run all the Exchange roles we run).  There is a second cert on each Exchange server that is a self-signed one and the only service assigned to these self-signed certs is SMTP, so it looks like the person who set this up believed it was okay to use a self-signed cert on the internal network.  The subject alternative names on the first Exchange server are:


and the subject alternative names on the second Exchange server


So, my issue is I'm not sure which names go in which fields when I use the SAN cert wizard to generate a new Exchange cert and I'm not completely sure which boxes were checked and which were not and that's my issue (sorry, should fleshed things out more fully in the original post).

I am using he following article as my guide: http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/

In the cert wizard, where it says Outlook Web App under Client Access Server, I'm not sure if I should check both the Outlook Web App is on the intranet box and also the Outlook Web App is on the Internet boxes or just the Outlook Web App is on the Internet box, alone.  Internally, we only use Outlook (not OWA), so I'm thinking the first box can be unchecked?

Next, where it has the Exchange Active Sync is enabled, I'll just enter owa.companyname.org (our internet-based name).  Where it says client Access Server (Web Services, Outlook Anywhere, and Autodiscover), I know we don't use Outlook Anywhere, but I'm not sure what Exchange Web Services is referring to.  Are these the web services required for OWA access?
If so, I'll check that and go with the internet name owa.companyname.org.

For the Hub Transport Server, I'm not sure if the Use mutual TLS to help secure Internet mail should be checked or not (I'm guessing so, but not sure how it was originally set or if there is any way to see what this setting is currently).  Also, if that box was checked, I suppose I should not enter the local host name here, but the internet host name, since that appears all this cert had in it--internet-side dns names.  Correct?
Simon Butler (Sembee)ConsultantCommented:
The "www.owa.companyname.org" was put in there by GoDaddy. They do that automatically.

The host names you enter in to the wizard don't matter - so you can ignore most of the options. You just want to get to the last screen where you can manipulate the results manually. That will allow you to change the common name to owa.companyname.org and add in any others.

Exchange will use self signed certificates internally and for some SMTP traffic. That is fine. What you cannot do is include any internal names on the request - so server.example.local - those aren't allowed on certificates that expire after November 2015.

hwest123Author Commented:
Thanks, Simon.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now