Solved

SAN certificate on Exchange 2010

Posted on 2013-11-10
12
360 Views
Last Modified: 2013-11-11
We have two Exchange running in DAG and the SAN certificate is expired.

How to check all alternative name used in SAN certificate ? How to renew both certifcates ?

The certificate is generated from Versign.

Can I temporarliy bypass the ecertficate as currenlty all external Outlook users can use the email. Internal access works fine. Why are there difference ?

Great Thanks.
0
Comment
Question by:AXISHK
  • 7
  • 2
  • 2
  • +1
12 Comments
 
LVL 19

Expert Comment

by:Peter Hutchison
ID: 39636858
If you bypass the certificate then all mail traffic will not be encrypted and sent in viewable text. This will affect OWA, ActiveSync and Outlook Anywhere.

You can view the contents of the certificate by either looking in the Certificates MMC on the CLient Access Exchange server or just by browsing to your OWA web site and use File, Properties, (or click on Padlock icon) and click on View Certificate to view alternative names on the Details tab, Subject Alternative Names attribute.
0
 

Author Comment

by:AXISHK
ID: 39636923
So can I temporarily bypass the ecert util I renew a new one ?

Tks
0
 

Author Comment

by:AXISHK
ID: 39636941
Is it a self-issue certificate by the server itself ? How to renew it ?

Tks
ecert.png
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:AXISHK
ID: 39637043
Check the Exchange server and it seems that the certificate is generated from the Exchange CA by itself. How to renew the certificate issue by CA installed on Exchange ??
Tks



[PS] C:\Windows\system32>Get-ExchangeCertificate -thumbprint "B72AA068C52ED9CEA2FAXXXXXXXXXXX" | New-ExchangeCe
rtificate -PrivateKeyExportable $true
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'ex02.abc.com.' because the
CA-signed certificate with thumbprint 'B72AA068C52ED9CEA2FXXXXXXX' takes precedence. The following
receive/send connectors match that FQDN: Default EX02, Client EX02.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39638122
You cannot bypass the certificate without making major changes to the operation of Exchange. It is not a recommended setting.

The error message you have received is fine, just allow it to continue.

However you need to change it to a trusted certificate as quickly as possible as end users will get errors from OWA and ActiveSync is unlikely to connect reliably.

Simon.
0
 

Author Comment

by:AXISHK
ID: 39638169
How to temporarily bypass the certificate ?

Currently, Outlook from external users (but not internal users) can't connect as the certificate is expired.

Tks
0
 
LVL 10

Assisted Solution

by:Vijaya Babu Sekar
Vijaya Babu Sekar earned 166 total points
ID: 39638178
If you already imported certificates. you can get the certificates through Exchange powershell.

Get-Exchangecertificate

Open in new window


At a time you can assign\enabled the only one certificate, then you can check the unassigned certificate. you can assigned the certificate with help of thump print.


Enable-ExchangeCertificate -Thumbprint <your_thumbprint> -Services "POP,IMAP,SMTP,IIS"

Open in new window



Thanks
0
 

Author Comment

by:AXISHK
ID: 39639048
For a self generated certificate in Exchange, does it have a root certficate ? Will the root certificate be expired ?

Again, still have no idea why the internal Outlook can send or receive properly while external users cannot ...


Tks
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 167 total points
ID: 39639058
A self signed certificate will not have a root.
You need to get a trusted certificate - $60/year from a GoDaddy reseller will get you a certificate and for most domains it will be issued within 30 minutes.

Simon.
0
 

Author Comment

by:AXISHK
ID: 39639095
So, if the issuer is the name of the server, that's mean it is a self-issue certificate, correct ?

Once the ecert is expired, will Exchange cut out all the connection for Outlook external users ?

Tks
0
 
LVL 19

Accepted Solution

by:
Peter Hutchison earned 167 total points
ID: 39639155
Yes, Exchange will automatically create a self-signed cert when you first install Exchange and it will have an expiry date. When it expires it can no longer encrypt traffic to/from Exchange.

You can create a new self-signed cert using the Exchange Powershell commands using the same common name as the old one:
New-ExchangeCertificate

Synxtax for command is:
http://technet.microsoft.com/en-us/library/bb691010%28v=EXCHG.80%29.aspx

The use the Import-ExchangeCertificate to import the public key and then Enable-ExchangeCertifiicate to apply it to IIS, IMAP,POP,SMTP services.
0
 

Author Closing Comment

by:AXISHK
ID: 39640638
Tks
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Outlook 2010 - access public folder shortcut. 1 33
Exchange 2013 - Get Public Folder Path 2 24
exchange raw database size? 5 34
Email forward and auto reply 4 33
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question