[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Exchange 2013 - install new certificate to replace single host certificate

Posted on 2013-10-23
5
Medium Priority
?
480 Views
Last Modified: 2013-10-29
I have a new working implementation of Ex13 (w/Outlook 10,13) and along the way I purchased and installed a single-host certificate instead of a SAN certificate, not realizing there was a difference.  Obviously to get it to work I have both internal and external URLs set to the same name.  I need to change this, so I purchased a new SAN certificate with the correct names.  I have gone as far as installing it in Exchange but have not assigned any services.  This morning I got a complaint that a meeting invite failed and I wonder if it is related.  Is there anything I need to take into consideration doing this?  Can I just  assign it to the services and de-assign the old one?  How will Outlook get updated?  Somewhat time-critical. Thanks.
0
Comment
Question by:dvanaken
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
5 Comments
 
LVL 12

Accepted Solution

by:
Chris earned 1000 total points
ID: 39593694
As long as the relevant hostnames are in the certficate and it's not expired then you should have no issues.

There's no 'updating' outlook. The certificate is presented by the server when outlook connects. Outlook doesn't store it.

For example, if your server name is exchange01.domain.local, outlook will attempt to connect to this hostname and will be presented with the certificate by the server. If exchange01.domain.local is contained within the certificate (either as the CN or as a SAN) then outlook will trust that the server is who it says it is and you'll connect.

If the hostname isn't contained within the cert then outlook won't be able to verify the identity of the server and will throw up a certificate error and ask you if you want to continue.

As long as you have the correct SAN values in the certificate this process should continue without any issues.
0
 

Author Comment

by:dvanaken
ID: 39594960
Hey Goose-

Thanks for the post.  So after de-assigning the old cert from services and then assigning them to the new cert, do I need to restart anything?  Do I need to wait before I delete the old cert from the GUI?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 1000 total points
ID: 39596986
When I change the SSL certificate, I always run IISRESET so that any sessions currently active are broken and start using the new certificate. The old one can then be removed.

You only need a UC type certificate if you want to include Autodiscover.example.com as your external DNS provider doesn't support SRV records.
Internal host names do not need to be included, and if they are .local type then you will find it is impossible to get a certificate after November 2015.

Simon.
0
 

Assisted Solution

by:dvanaken
dvanaken earned 0 total points
ID: 39597038
Simon - thanks.  I ran IISRESET and all is well.  I will remove the old cert later today. We use *.domain.com internally too so needed to secure the internal name server.domain.com and also autodiscover.domain.com.  I totally missed that when I was first installing the cert and lost about 8 hrs of work trying to manage around it.  Thanks again.
0
 

Author Closing Comment

by:dvanaken
ID: 39608085
Thank you both!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question