Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

setting up new SSL certificate exchange server

Posted on 2014-02-03
25
Medium Priority
?
363 Views
Last Modified: 2014-02-18
i have an exchange 2010 server running on server 2008. the SSL certificate expired so i purchased a new one.

how should i go about replacing the SSL certificate?

Thanks.
0
Comment
Question by:datatechdc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
  • 2
  • +1
25 Comments
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 1500 total points
ID: 39830033
Create a new request through EMC, including all of the names that you require, put that in to the SSL provider's web site. When you get the result, complete the installation in EMC and then enable the services.

If the provider requires the installation of intermediate certificates then install those before completing the request - although if you are using the same provider as last time you may not have to do that step.

http://semb.ee/ssl

Simon.
0
 

Author Comment

by:datatechdc
ID: 39830225
can you tell me where in EMC i go?

Thanks.
0
 
LVL 5

Expert Comment

by:Basheerpt
ID: 39830228
What kind of SSL certificate was there before? UC? You may renew this or request a new one. Keep the expired certificates to see their SAN names before the delete.

Here is the godaddy procedure:
http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 
LVL 5

Expert Comment

by:Basheerpt
ID: 39830238
In EMC>Server configuration
0
 

Author Comment

by:datatechdc
ID: 39830279
please see the screenshot attached. this is where i am, how should i backup the settings?
ssl1.png
0
 

Author Comment

by:datatechdc
ID: 39830283
as you can see the certificate is expired so what is the process from here.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39830324
On the right, choose New Exchange certificate and follow the wizard.
Most of what the wizard asked you can ignore, just get to the end where you can enter the host names that you need.
Did you look at the link I provided?

Simon.
0
 

Author Comment

by:datatechdc
ID: 39831356
so i have to issue a new certificate right, not renew the old one?
0
 

Author Comment

by:datatechdc
ID: 39831361
what do i select under exchange configuration. see attached screenshot.
ssl2.png
0
 
LVL 12

Assisted Solution

by:Md. Mojahid
Md. Mojahid earned 500 total points
ID: 39831872
You have to only  generate new SCR  for renew certificate from exchange server then login on your sll certificate account and then generate Sll certificate and apply on exchange.

For more

http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39831913
Renew doesn't always work that well, so generating a new request is always the safest option. If you have used the same provider they will usually extend the expiry time to match the existing one (so if the existing is 16th March 2014 and you bought two years, it would be 16th March 2016 even if you did the certificate now).

Simon.
0
 

Author Comment

by:datatechdc
ID: 39832593
i am going through the process for creating a new certificate. when i get to the screen where it asks for exchange configuration and select services i'm not sure what to select there. please see the attached screenshot.

what should i select?
ssl2.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39832838
It doesn't matter what you enter in there. The wizard is just designed to help you get the correct results. Therefore just click next and until you get to the point where you can add and adjust the names on the certificate.

Remember that you cannot put internal names on a certificate that expires after November 2015 and Exchange will try and make the common name the root domain name (example.com) whereas most people want it to be a specific host name (host.example.com).

Simon.
0
 

Author Comment

by:datatechdc
ID: 39832954
Thanks, it looks like everything is good to go now.

is there a way i can test to make sure the certificate is working correctly so i dont run into any email flow issues?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833052
The Microsoft test site at http://exrca.com will confirm if there is a problem or not.

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833091
i just logged into a user account and opened outlook. i got an error for the certificate. please see the attached screenshot.
ssl5.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833275
Have you changed the URLs within Exchange to match the certificate?

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833309
please see the attached screenshot. the names are different.

which one should i change?

i still want users to be able to access OWA from https://mail.datatechdc.com/owa

Thanks.
ssl6.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833354
Personally I wouldn't use the .local anywhere - do you have a split DNS system in place so that the external host name resolves internally? If so then just use the same host name for internal and external.

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833504
i dont have a split DNS.

i dont think i should change this, it was not changed before. how does this affect the certificate error?
0
 

Author Comment

by:datatechdc
ID: 39835655
i had someone look at this and they are concerned that the new certificate does not have a O=. please see the attached screenshot. i think this may be the issue.

the top line is the expired cert and middle line is the new one.
ssl8.png
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 1500 total points
ID: 39838339
If you don't have a split DNS, then you are going to have problems.
You cannot have internal names on the SSL certificate, so the trusted certificate will only have external names on it.
DNS resolution for your external host names internally will not always work correctly.
That fact that you didn't have one before means nothing - you need to have one now.

Therefore setup a split DNS system so that your external host name resolves internally.
http://semb.ee/splitdns then configure Exchange to use the external host name everywhere.
http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:datatechdc
ID: 39839034
would it be easier for me to cancel this certificate and try to renew the old one?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 1500 total points
ID: 39840323
No, because the names you had on the old one will be removed because of the new guidelines. You will have to setup a split DNS system at some point, may as well do it now and setup Exchange correctly to use it.

Simon.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question