SAN certificate on Exchange 2010

We have two Exchange running in DAG and the SAN certificate is expired.

How to check all alternative name used in SAN certificate ? How to renew both certifcates ?

The certificate is generated from Versign.

Can I temporarliy bypass the ecertficate as currenlty all external Outlook users can use the email. Internal access works fine. Why are there difference ?

Great Thanks.
AXISHKAsked:
Who is Participating?
 
Peter HutchisonConnect With a Mentor Senior Network Systems SpecialistCommented:
Yes, Exchange will automatically create a self-signed cert when you first install Exchange and it will have an expiry date. When it expires it can no longer encrypt traffic to/from Exchange.

You can create a new self-signed cert using the Exchange Powershell commands using the same common name as the old one:
New-ExchangeCertificate

Synxtax for command is:
http://technet.microsoft.com/en-us/library/bb691010%28v=EXCHG.80%29.aspx

The use the Import-ExchangeCertificate to import the public key and then Enable-ExchangeCertifiicate to apply it to IIS, IMAP,POP,SMTP services.
0
 
Peter HutchisonSenior Network Systems SpecialistCommented:
If you bypass the certificate then all mail traffic will not be encrypted and sent in viewable text. This will affect OWA, ActiveSync and Outlook Anywhere.

You can view the contents of the certificate by either looking in the Certificates MMC on the CLient Access Exchange server or just by browsing to your OWA web site and use File, Properties, (or click on Padlock icon) and click on View Certificate to view alternative names on the Details tab, Subject Alternative Names attribute.
0
 
AXISHKAuthor Commented:
So can I temporarily bypass the ecert util I renew a new one ?

Tks
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
AXISHKAuthor Commented:
Is it a self-issue certificate by the server itself ? How to renew it ?

Tks
ecert.png
0
 
AXISHKAuthor Commented:
Check the Exchange server and it seems that the certificate is generated from the Exchange CA by itself. How to renew the certificate issue by CA installed on Exchange ??
Tks



[PS] C:\Windows\system32>Get-ExchangeCertificate -thumbprint "B72AA068C52ED9CEA2FAXXXXXXXXXXX" | New-ExchangeCe
rtificate -PrivateKeyExportable $true
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'ex02.abc.com.' because the
CA-signed certificate with thumbprint 'B72AA068C52ED9CEA2FXXXXXXX' takes precedence. The following
receive/send connectors match that FQDN: Default EX02, Client EX02.
0
 
Simon Butler (Sembee)ConsultantCommented:
You cannot bypass the certificate without making major changes to the operation of Exchange. It is not a recommended setting.

The error message you have received is fine, just allow it to continue.

However you need to change it to a trusted certificate as quickly as possible as end users will get errors from OWA and ActiveSync is unlikely to connect reliably.

Simon.
0
 
AXISHKAuthor Commented:
How to temporarily bypass the certificate ?

Currently, Outlook from external users (but not internal users) can't connect as the certificate is expired.

Tks
0
 
Vijaya Babu SekarConnect With a Mentor Associate Ops ManagerCommented:
If you already imported certificates. you can get the certificates through Exchange powershell.

Get-Exchangecertificate

Open in new window


At a time you can assign\enabled the only one certificate, then you can check the unassigned certificate. you can assigned the certificate with help of thump print.


Enable-ExchangeCertificate -Thumbprint <your_thumbprint> -Services "POP,IMAP,SMTP,IIS"

Open in new window



Thanks
0
 
AXISHKAuthor Commented:
For a self generated certificate in Exchange, does it have a root certficate ? Will the root certificate be expired ?

Again, still have no idea why the internal Outlook can send or receive properly while external users cannot ...


Tks
0
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
A self signed certificate will not have a root.
You need to get a trusted certificate - $60/year from a GoDaddy reseller will get you a certificate and for most domains it will be issued within 30 minutes.

Simon.
0
 
AXISHKAuthor Commented:
So, if the issuer is the name of the server, that's mean it is a self-issue certificate, correct ?

Once the ecert is expired, will Exchange cut out all the connection for Outlook external users ?

Tks
0
 
AXISHKAuthor Commented:
Tks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.