Solved

Exchange 2013 - install new certificate to replace single host certificate

Posted on 2013-10-23
5
469 Views
Last Modified: 2013-10-29
I have a new working implementation of Ex13 (w/Outlook 10,13) and along the way I purchased and installed a single-host certificate instead of a SAN certificate, not realizing there was a difference.  Obviously to get it to work I have both internal and external URLs set to the same name.  I need to change this, so I purchased a new SAN certificate with the correct names.  I have gone as far as installing it in Exchange but have not assigned any services.  This morning I got a complaint that a meeting invite failed and I wonder if it is related.  Is there anything I need to take into consideration doing this?  Can I just  assign it to the services and de-assign the old one?  How will Outlook get updated?  Somewhat time-critical. Thanks.
0
Comment
Question by:dvanaken
  • 3
5 Comments
 
LVL 12

Accepted Solution

by:
Chris earned 250 total points
ID: 39593694
As long as the relevant hostnames are in the certficate and it's not expired then you should have no issues.

There's no 'updating' outlook. The certificate is presented by the server when outlook connects. Outlook doesn't store it.

For example, if your server name is exchange01.domain.local, outlook will attempt to connect to this hostname and will be presented with the certificate by the server. If exchange01.domain.local is contained within the certificate (either as the CN or as a SAN) then outlook will trust that the server is who it says it is and you'll connect.

If the hostname isn't contained within the cert then outlook won't be able to verify the identity of the server and will throw up a certificate error and ask you if you want to continue.

As long as you have the correct SAN values in the certificate this process should continue without any issues.
0
 

Author Comment

by:dvanaken
ID: 39594960
Hey Goose-

Thanks for the post.  So after de-assigning the old cert from services and then assigning them to the new cert, do I need to restart anything?  Do I need to wait before I delete the old cert from the GUI?
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 250 total points
ID: 39596986
When I change the SSL certificate, I always run IISRESET so that any sessions currently active are broken and start using the new certificate. The old one can then be removed.

You only need a UC type certificate if you want to include Autodiscover.example.com as your external DNS provider doesn't support SRV records.
Internal host names do not need to be included, and if they are .local type then you will find it is impossible to get a certificate after November 2015.

Simon.
0
 

Assisted Solution

by:dvanaken
dvanaken earned 0 total points
ID: 39597038
Simon - thanks.  I ran IISRESET and all is well.  I will remove the old cert later today. We use *.domain.com internally too so needed to secure the internal name server.domain.com and also autodiscover.domain.com.  I totally missed that when I was first installing the cert and lost about 8 hrs of work trying to manage around it.  Thanks again.
0
 

Author Closing Comment

by:dvanaken
ID: 39608085
Thank you both!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now