Solved

Exchange 2013 - install new certificate to replace single host certificate

Posted on 2013-10-23
5
467 Views
Last Modified: 2013-10-29
I have a new working implementation of Ex13 (w/Outlook 10,13) and along the way I purchased and installed a single-host certificate instead of a SAN certificate, not realizing there was a difference.  Obviously to get it to work I have both internal and external URLs set to the same name.  I need to change this, so I purchased a new SAN certificate with the correct names.  I have gone as far as installing it in Exchange but have not assigned any services.  This morning I got a complaint that a meeting invite failed and I wonder if it is related.  Is there anything I need to take into consideration doing this?  Can I just  assign it to the services and de-assign the old one?  How will Outlook get updated?  Somewhat time-critical. Thanks.
0
Comment
Question by:dvanaken
  • 3
5 Comments
 
LVL 12

Accepted Solution

by:
Chris earned 250 total points
Comment Utility
As long as the relevant hostnames are in the certficate and it's not expired then you should have no issues.

There's no 'updating' outlook. The certificate is presented by the server when outlook connects. Outlook doesn't store it.

For example, if your server name is exchange01.domain.local, outlook will attempt to connect to this hostname and will be presented with the certificate by the server. If exchange01.domain.local is contained within the certificate (either as the CN or as a SAN) then outlook will trust that the server is who it says it is and you'll connect.

If the hostname isn't contained within the cert then outlook won't be able to verify the identity of the server and will throw up a certificate error and ask you if you want to continue.

As long as you have the correct SAN values in the certificate this process should continue without any issues.
0
 

Author Comment

by:dvanaken
Comment Utility
Hey Goose-

Thanks for the post.  So after de-assigning the old cert from services and then assigning them to the new cert, do I need to restart anything?  Do I need to wait before I delete the old cert from the GUI?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 250 total points
Comment Utility
When I change the SSL certificate, I always run IISRESET so that any sessions currently active are broken and start using the new certificate. The old one can then be removed.

You only need a UC type certificate if you want to include Autodiscover.example.com as your external DNS provider doesn't support SRV records.
Internal host names do not need to be included, and if they are .local type then you will find it is impossible to get a certificate after November 2015.

Simon.
0
 

Assisted Solution

by:dvanaken
dvanaken earned 0 total points
Comment Utility
Simon - thanks.  I ran IISRESET and all is well.  I will remove the old cert later today. We use *.domain.com internally too so needed to secure the internal name server.domain.com and also autodiscover.domain.com.  I totally missed that when I was first installing the cert and lost about 8 hrs of work trying to manage around it.  Thanks again.
0
 

Author Closing Comment

by:dvanaken
Comment Utility
Thank you both!
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now