?
Solved

SAN certificate on Exchange 2010

Posted on 2013-11-10
12
Medium Priority
?
377 Views
Last Modified: 2013-11-11
We have two Exchange running in DAG and the SAN certificate is expired.

How to check all alternative name used in SAN certificate ? How to renew both certifcates ?

The certificate is generated from Versign.

Can I temporarliy bypass the ecertficate as currenlty all external Outlook users can use the email. Internal access works fine. Why are there difference ?

Great Thanks.
0
Comment
Question by:AXISHK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 2
  • 2
  • +1
12 Comments
 
LVL 20

Expert Comment

by:Peter Hutchison
ID: 39636858
If you bypass the certificate then all mail traffic will not be encrypted and sent in viewable text. This will affect OWA, ActiveSync and Outlook Anywhere.

You can view the contents of the certificate by either looking in the Certificates MMC on the CLient Access Exchange server or just by browsing to your OWA web site and use File, Properties, (or click on Padlock icon) and click on View Certificate to view alternative names on the Details tab, Subject Alternative Names attribute.
0
 

Author Comment

by:AXISHK
ID: 39636923
So can I temporarily bypass the ecert util I renew a new one ?

Tks
0
 

Author Comment

by:AXISHK
ID: 39636941
Is it a self-issue certificate by the server itself ? How to renew it ?

Tks
ecert.png
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:AXISHK
ID: 39637043
Check the Exchange server and it seems that the certificate is generated from the Exchange CA by itself. How to renew the certificate issue by CA installed on Exchange ??
Tks



[PS] C:\Windows\system32>Get-ExchangeCertificate -thumbprint "B72AA068C52ED9CEA2FAXXXXXXXXXXX" | New-ExchangeCe
rtificate -PrivateKeyExportable $true
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'ex02.abc.com.' because the
CA-signed certificate with thumbprint 'B72AA068C52ED9CEA2FXXXXXXX' takes precedence. The following
receive/send connectors match that FQDN: Default EX02, Client EX02.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39638122
You cannot bypass the certificate without making major changes to the operation of Exchange. It is not a recommended setting.

The error message you have received is fine, just allow it to continue.

However you need to change it to a trusted certificate as quickly as possible as end users will get errors from OWA and ActiveSync is unlikely to connect reliably.

Simon.
0
 

Author Comment

by:AXISHK
ID: 39638169
How to temporarily bypass the certificate ?

Currently, Outlook from external users (but not internal users) can't connect as the certificate is expired.

Tks
0
 
LVL 10

Assisted Solution

by:Vijaya Babu Sekar
Vijaya Babu Sekar earned 664 total points
ID: 39638178
If you already imported certificates. you can get the certificates through Exchange powershell.

Get-Exchangecertificate

Open in new window


At a time you can assign\enabled the only one certificate, then you can check the unassigned certificate. you can assigned the certificate with help of thump print.


Enable-ExchangeCertificate -Thumbprint <your_thumbprint> -Services "POP,IMAP,SMTP,IIS"

Open in new window



Thanks
0
 

Author Comment

by:AXISHK
ID: 39639048
For a self generated certificate in Exchange, does it have a root certficate ? Will the root certificate be expired ?

Again, still have no idea why the internal Outlook can send or receive properly while external users cannot ...


Tks
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 668 total points
ID: 39639058
A self signed certificate will not have a root.
You need to get a trusted certificate - $60/year from a GoDaddy reseller will get you a certificate and for most domains it will be issued within 30 minutes.

Simon.
0
 

Author Comment

by:AXISHK
ID: 39639095
So, if the issuer is the name of the server, that's mean it is a self-issue certificate, correct ?

Once the ecert is expired, will Exchange cut out all the connection for Outlook external users ?

Tks
0
 
LVL 20

Accepted Solution

by:
Peter Hutchison earned 668 total points
ID: 39639155
Yes, Exchange will automatically create a self-signed cert when you first install Exchange and it will have an expiry date. When it expires it can no longer encrypt traffic to/from Exchange.

You can create a new self-signed cert using the Exchange Powershell commands using the same common name as the old one:
New-ExchangeCertificate

Synxtax for command is:
http://technet.microsoft.com/en-us/library/bb691010%28v=EXCHG.80%29.aspx

The use the Import-ExchangeCertificate to import the public key and then Enable-ExchangeCertifiicate to apply it to IIS, IMAP,POP,SMTP services.
0
 

Author Closing Comment

by:AXISHK
ID: 39640638
Tks
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question