hwest123
asked on
Exchange 2010 SAN Cert Question
Hello,
I have a couple of Exchange 2010 servers on which someone else created the SAN cert. I need to create a new cert with the same original settings so the cert can be re-keyed by GoDaddy (I simply renewed the existing cert when I needed to renew it, but now, for security reasons, it needs to be re-keyed by GoDaddy). What is the easiest way to determine all the settings that were used to create the original SAN cert?
I have a couple of Exchange 2010 servers on which someone else created the SAN cert. I need to create a new cert with the same original settings so the cert can be re-keyed by GoDaddy (I simply renewed the existing cert when I needed to renew it, but now, for security reasons, it needs to be re-keyed by GoDaddy). What is the easiest way to determine all the settings that were used to create the original SAN cert?
R--R
Note the SAN entries of the existing certificate and create a new CSR.
ASKER
Thanks for your reply. I had previously looked at the subject alternative names in the cert and they are:
owa.companyname.org
www.owa.companyname.org
autodiscover.companyname.o
legacy.companyname.org
companyname.org
All of these are internet-side DNS names (none are the internal network names) and this purchased cert is on both exchange servers (we have only 2 Exchange servers and they both run all the Exchange roles we run). There is a second cert on each Exchange server that is a self-signed one and the only service assigned to these self-signed certs is SMTP, so it looks like the person who set this up believed it was okay to use a self-signed cert on the internal network. The subject alternative names on the first Exchange server are:
exchange1
exchange1.internaldomainna
and the subject alternative names on the second Exchange server
exchange2
exchange2.internaldomainna
So, my issue is I'm not sure which names go in which fields when I use the SAN cert wizard to generate a new Exchange cert and I'm not completely sure which boxes were checked and which were not and that's my issue (sorry, should fleshed things out more fully in the original post).
I am using he following article as my guide: http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/
In the cert wizard, where it says Outlook Web App under Client Access Server, I'm not sure if I should check both the Outlook Web App is on the intranet box and also the Outlook Web App is on the Internet boxes or just the Outlook Web App is on the Internet box, alone. Internally, we only use Outlook (not OWA), so I'm thinking the first box can be unchecked?
Next, where it has the Exchange Active Sync is enabled, I'll just enter owa.companyname.org (our internet-based name). Where it says client Access Server (Web Services, Outlook Anywhere, and Autodiscover), I know we don't use Outlook Anywhere, but I'm not sure what Exchange Web Services is referring to. Are these the web services required for OWA access?
If so, I'll check that and go with the internet name owa.companyname.org.
For the Hub Transport Server, I'm not sure if the Use mutual TLS to help secure Internet mail should be checked or not (I'm guessing so, but not sure how it was originally set or if there is any way to see what this setting is currently). Also, if that box was checked, I suppose I should not enter the local host name here, but the internet host name, since that appears all this cert had in it--internet-side dns names. Correct?
owa.companyname.org
www.owa.companyname.org
autodiscover.companyname.o
legacy.companyname.org
companyname.org
All of these are internet-side DNS names (none are the internal network names) and this purchased cert is on both exchange servers (we have only 2 Exchange servers and they both run all the Exchange roles we run). There is a second cert on each Exchange server that is a self-signed one and the only service assigned to these self-signed certs is SMTP, so it looks like the person who set this up believed it was okay to use a self-signed cert on the internal network. The subject alternative names on the first Exchange server are:
exchange1
exchange1.internaldomainna
and the subject alternative names on the second Exchange server
exchange2
exchange2.internaldomainna
So, my issue is I'm not sure which names go in which fields when I use the SAN cert wizard to generate a new Exchange cert and I'm not completely sure which boxes were checked and which were not and that's my issue (sorry, should fleshed things out more fully in the original post).
I am using he following article as my guide: http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/
In the cert wizard, where it says Outlook Web App under Client Access Server, I'm not sure if I should check both the Outlook Web App is on the intranet box and also the Outlook Web App is on the Internet boxes or just the Outlook Web App is on the Internet box, alone. Internally, we only use Outlook (not OWA), so I'm thinking the first box can be unchecked?
Next, where it has the Exchange Active Sync is enabled, I'll just enter owa.companyname.org (our internet-based name). Where it says client Access Server (Web Services, Outlook Anywhere, and Autodiscover), I know we don't use Outlook Anywhere, but I'm not sure what Exchange Web Services is referring to. Are these the web services required for OWA access?
If so, I'll check that and go with the internet name owa.companyname.org.
For the Hub Transport Server, I'm not sure if the Use mutual TLS to help secure Internet mail should be checked or not (I'm guessing so, but not sure how it was originally set or if there is any way to see what this setting is currently). Also, if that box was checked, I suppose I should not enter the local host name here, but the internet host name, since that appears all this cert had in it--internet-side dns names. Correct?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, Simon.