[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 496
  • Last Modified:

Exchange 2013 - install new certificate to replace single host certificate

I have a new working implementation of Ex13 (w/Outlook 10,13) and along the way I purchased and installed a single-host certificate instead of a SAN certificate, not realizing there was a difference.  Obviously to get it to work I have both internal and external URLs set to the same name.  I need to change this, so I purchased a new SAN certificate with the correct names.  I have gone as far as installing it in Exchange but have not assigned any services.  This morning I got a complaint that a meeting invite failed and I wonder if it is related.  Is there anything I need to take into consideration doing this?  Can I just  assign it to the services and de-assign the old one?  How will Outlook get updated?  Somewhat time-critical. Thanks.
0
dvanaken
Asked:
dvanaken
  • 3
3 Solutions
 
ChrisCommented:
As long as the relevant hostnames are in the certficate and it's not expired then you should have no issues.

There's no 'updating' outlook. The certificate is presented by the server when outlook connects. Outlook doesn't store it.

For example, if your server name is exchange01.domain.local, outlook will attempt to connect to this hostname and will be presented with the certificate by the server. If exchange01.domain.local is contained within the certificate (either as the CN or as a SAN) then outlook will trust that the server is who it says it is and you'll connect.

If the hostname isn't contained within the cert then outlook won't be able to verify the identity of the server and will throw up a certificate error and ask you if you want to continue.

As long as you have the correct SAN values in the certificate this process should continue without any issues.
0
 
dvanakenAuthor Commented:
Hey Goose-

Thanks for the post.  So after de-assigning the old cert from services and then assigning them to the new cert, do I need to restart anything?  Do I need to wait before I delete the old cert from the GUI?
0
 
Simon Butler (Sembee)ConsultantCommented:
When I change the SSL certificate, I always run IISRESET so that any sessions currently active are broken and start using the new certificate. The old one can then be removed.

You only need a UC type certificate if you want to include Autodiscover.example.com as your external DNS provider doesn't support SRV records.
Internal host names do not need to be included, and if they are .local type then you will find it is impossible to get a certificate after November 2015.

Simon.
0
 
dvanakenAuthor Commented:
Simon - thanks.  I ran IISRESET and all is well.  I will remove the old cert later today. We use *.domain.com internally too so needed to secure the internal name server.domain.com and also autodiscover.domain.com.  I totally missed that when I was first installing the cert and lost about 8 hrs of work trying to manage around it.  Thanks again.
0
 
dvanakenAuthor Commented:
Thank you both!
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now