Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SAN certificate on Exchange 2010

Posted on 2013-11-10
12
Medium Priority
?
384 Views
Last Modified: 2013-11-11
We have two Exchange running in DAG and the SAN certificate is expired.

How to check all alternative name used in SAN certificate ? How to renew both certifcates ?

The certificate is generated from Versign.

Can I temporarliy bypass the ecertficate as currenlty all external Outlook users can use the email. Internal access works fine. Why are there difference ?

Great Thanks.
0
Comment
Question by:AXISHK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 2
  • 2
  • +1
12 Comments
 
LVL 20

Expert Comment

by:Peter Hutchison
ID: 39636858
If you bypass the certificate then all mail traffic will not be encrypted and sent in viewable text. This will affect OWA, ActiveSync and Outlook Anywhere.

You can view the contents of the certificate by either looking in the Certificates MMC on the CLient Access Exchange server or just by browsing to your OWA web site and use File, Properties, (or click on Padlock icon) and click on View Certificate to view alternative names on the Details tab, Subject Alternative Names attribute.
0
 

Author Comment

by:AXISHK
ID: 39636923
So can I temporarily bypass the ecert util I renew a new one ?

Tks
0
 

Author Comment

by:AXISHK
ID: 39636941
Is it a self-issue certificate by the server itself ? How to renew it ?

Tks
ecert.png
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:AXISHK
ID: 39637043
Check the Exchange server and it seems that the certificate is generated from the Exchange CA by itself. How to renew the certificate issue by CA installed on Exchange ??
Tks



[PS] C:\Windows\system32>Get-ExchangeCertificate -thumbprint "B72AA068C52ED9CEA2FAXXXXXXXXXXX" | New-ExchangeCe
rtificate -PrivateKeyExportable $true
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'ex02.abc.com.' because the
CA-signed certificate with thumbprint 'B72AA068C52ED9CEA2FXXXXXXX' takes precedence. The following
receive/send connectors match that FQDN: Default EX02, Client EX02.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39638122
You cannot bypass the certificate without making major changes to the operation of Exchange. It is not a recommended setting.

The error message you have received is fine, just allow it to continue.

However you need to change it to a trusted certificate as quickly as possible as end users will get errors from OWA and ActiveSync is unlikely to connect reliably.

Simon.
0
 

Author Comment

by:AXISHK
ID: 39638169
How to temporarily bypass the certificate ?

Currently, Outlook from external users (but not internal users) can't connect as the certificate is expired.

Tks
0
 
LVL 10

Assisted Solution

by:Vijaya Babu Sekar
Vijaya Babu Sekar earned 664 total points
ID: 39638178
If you already imported certificates. you can get the certificates through Exchange powershell.

Get-Exchangecertificate

Open in new window


At a time you can assign\enabled the only one certificate, then you can check the unassigned certificate. you can assigned the certificate with help of thump print.


Enable-ExchangeCertificate -Thumbprint <your_thumbprint> -Services "POP,IMAP,SMTP,IIS"

Open in new window



Thanks
0
 

Author Comment

by:AXISHK
ID: 39639048
For a self generated certificate in Exchange, does it have a root certficate ? Will the root certificate be expired ?

Again, still have no idea why the internal Outlook can send or receive properly while external users cannot ...


Tks
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 668 total points
ID: 39639058
A self signed certificate will not have a root.
You need to get a trusted certificate - $60/year from a GoDaddy reseller will get you a certificate and for most domains it will be issued within 30 minutes.

Simon.
0
 

Author Comment

by:AXISHK
ID: 39639095
So, if the issuer is the name of the server, that's mean it is a self-issue certificate, correct ?

Once the ecert is expired, will Exchange cut out all the connection for Outlook external users ?

Tks
0
 
LVL 20

Accepted Solution

by:
Peter Hutchison earned 668 total points
ID: 39639155
Yes, Exchange will automatically create a self-signed cert when you first install Exchange and it will have an expiry date. When it expires it can no longer encrypt traffic to/from Exchange.

You can create a new self-signed cert using the Exchange Powershell commands using the same common name as the old one:
New-ExchangeCertificate

Synxtax for command is:
http://technet.microsoft.com/en-us/library/bb691010%28v=EXCHG.80%29.aspx

The use the Import-ExchangeCertificate to import the public key and then Enable-ExchangeCertifiicate to apply it to IIS, IMAP,POP,SMTP services.
0
 

Author Closing Comment

by:AXISHK
ID: 39640638
Tks
0

Featured Post

Tech or Treat! - Giveaway

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New style of hardware planning for Microsoft Exchange server.
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question