?
Solved

Exchange 2013 - install new certificate to replace single host certificate

Posted on 2013-10-23
5
Medium Priority
?
478 Views
Last Modified: 2013-10-29
I have a new working implementation of Ex13 (w/Outlook 10,13) and along the way I purchased and installed a single-host certificate instead of a SAN certificate, not realizing there was a difference.  Obviously to get it to work I have both internal and external URLs set to the same name.  I need to change this, so I purchased a new SAN certificate with the correct names.  I have gone as far as installing it in Exchange but have not assigned any services.  This morning I got a complaint that a meeting invite failed and I wonder if it is related.  Is there anything I need to take into consideration doing this?  Can I just  assign it to the services and de-assign the old one?  How will Outlook get updated?  Somewhat time-critical. Thanks.
0
Comment
Question by:dvanaken
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 12

Accepted Solution

by:
Chris earned 1000 total points
ID: 39593694
As long as the relevant hostnames are in the certficate and it's not expired then you should have no issues.

There's no 'updating' outlook. The certificate is presented by the server when outlook connects. Outlook doesn't store it.

For example, if your server name is exchange01.domain.local, outlook will attempt to connect to this hostname and will be presented with the certificate by the server. If exchange01.domain.local is contained within the certificate (either as the CN or as a SAN) then outlook will trust that the server is who it says it is and you'll connect.

If the hostname isn't contained within the cert then outlook won't be able to verify the identity of the server and will throw up a certificate error and ask you if you want to continue.

As long as you have the correct SAN values in the certificate this process should continue without any issues.
0
 

Author Comment

by:dvanaken
ID: 39594960
Hey Goose-

Thanks for the post.  So after de-assigning the old cert from services and then assigning them to the new cert, do I need to restart anything?  Do I need to wait before I delete the old cert from the GUI?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 1000 total points
ID: 39596986
When I change the SSL certificate, I always run IISRESET so that any sessions currently active are broken and start using the new certificate. The old one can then be removed.

You only need a UC type certificate if you want to include Autodiscover.example.com as your external DNS provider doesn't support SRV records.
Internal host names do not need to be included, and if they are .local type then you will find it is impossible to get a certificate after November 2015.

Simon.
0
 

Assisted Solution

by:dvanaken
dvanaken earned 0 total points
ID: 39597038
Simon - thanks.  I ran IISRESET and all is well.  I will remove the old cert later today. We use *.domain.com internally too so needed to secure the internal name server.domain.com and also autodiscover.domain.com.  I totally missed that when I was first installing the cert and lost about 8 hrs of work trying to manage around it.  Thanks again.
0
 

Author Closing Comment

by:dvanaken
ID: 39608085
Thank you both!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
Suggested Courses
Course of the Month13 days, 17 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question