Solved

SAN certificate on Exchange 2010

Posted on 2013-11-10
12
365 Views
Last Modified: 2013-11-11
We have two Exchange running in DAG and the SAN certificate is expired.

How to check all alternative name used in SAN certificate ? How to renew both certifcates ?

The certificate is generated from Versign.

Can I temporarliy bypass the ecertficate as currenlty all external Outlook users can use the email. Internal access works fine. Why are there difference ?

Great Thanks.
0
Comment
Question by:AXISHK
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 2
  • 2
  • +1
12 Comments
 
LVL 19

Expert Comment

by:Peter Hutchison
ID: 39636858
If you bypass the certificate then all mail traffic will not be encrypted and sent in viewable text. This will affect OWA, ActiveSync and Outlook Anywhere.

You can view the contents of the certificate by either looking in the Certificates MMC on the CLient Access Exchange server or just by browsing to your OWA web site and use File, Properties, (or click on Padlock icon) and click on View Certificate to view alternative names on the Details tab, Subject Alternative Names attribute.
0
 

Author Comment

by:AXISHK
ID: 39636923
So can I temporarily bypass the ecert util I renew a new one ?

Tks
0
 

Author Comment

by:AXISHK
ID: 39636941
Is it a self-issue certificate by the server itself ? How to renew it ?

Tks
ecert.png
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:AXISHK
ID: 39637043
Check the Exchange server and it seems that the certificate is generated from the Exchange CA by itself. How to renew the certificate issue by CA installed on Exchange ??
Tks



[PS] C:\Windows\system32>Get-ExchangeCertificate -thumbprint "B72AA068C52ED9CEA2FAXXXXXXXXXXX" | New-ExchangeCe
rtificate -PrivateKeyExportable $true
WARNING: This certificate will not be used for external TLS connections with an FQDN of 'ex02.abc.com.' because the
CA-signed certificate with thumbprint 'B72AA068C52ED9CEA2FXXXXXXX' takes precedence. The following
receive/send connectors match that FQDN: Default EX02, Client EX02.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39638122
You cannot bypass the certificate without making major changes to the operation of Exchange. It is not a recommended setting.

The error message you have received is fine, just allow it to continue.

However you need to change it to a trusted certificate as quickly as possible as end users will get errors from OWA and ActiveSync is unlikely to connect reliably.

Simon.
0
 

Author Comment

by:AXISHK
ID: 39638169
How to temporarily bypass the certificate ?

Currently, Outlook from external users (but not internal users) can't connect as the certificate is expired.

Tks
0
 
LVL 10

Assisted Solution

by:Vijaya Babu Sekar
Vijaya Babu Sekar earned 166 total points
ID: 39638178
If you already imported certificates. you can get the certificates through Exchange powershell.

Get-Exchangecertificate

Open in new window


At a time you can assign\enabled the only one certificate, then you can check the unassigned certificate. you can assigned the certificate with help of thump print.


Enable-ExchangeCertificate -Thumbprint <your_thumbprint> -Services "POP,IMAP,SMTP,IIS"

Open in new window



Thanks
0
 

Author Comment

by:AXISHK
ID: 39639048
For a self generated certificate in Exchange, does it have a root certficate ? Will the root certificate be expired ?

Again, still have no idea why the internal Outlook can send or receive properly while external users cannot ...


Tks
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 167 total points
ID: 39639058
A self signed certificate will not have a root.
You need to get a trusted certificate - $60/year from a GoDaddy reseller will get you a certificate and for most domains it will be issued within 30 minutes.

Simon.
0
 

Author Comment

by:AXISHK
ID: 39639095
So, if the issuer is the name of the server, that's mean it is a self-issue certificate, correct ?

Once the ecert is expired, will Exchange cut out all the connection for Outlook external users ?

Tks
0
 
LVL 19

Accepted Solution

by:
Peter Hutchison earned 167 total points
ID: 39639155
Yes, Exchange will automatically create a self-signed cert when you first install Exchange and it will have an expiry date. When it expires it can no longer encrypt traffic to/from Exchange.

You can create a new self-signed cert using the Exchange Powershell commands using the same common name as the old one:
New-ExchangeCertificate

Synxtax for command is:
http://technet.microsoft.com/en-us/library/bb691010%28v=EXCHG.80%29.aspx

The use the Import-ExchangeCertificate to import the public key and then Enable-ExchangeCertifiicate to apply it to IIS, IMAP,POP,SMTP services.
0
 

Author Closing Comment

by:AXISHK
ID: 39640638
Tks
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video discusses moving either the default database or any database to a new volume.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question