Solved

setting up new SSL certificate exchange server

Posted on 2014-02-03
25
357 Views
Last Modified: 2014-02-18
i have an exchange 2010 server running on server 2008. the SSL certificate expired so i purchased a new one.

how should i go about replacing the SSL certificate?

Thanks.
0
Comment
Question by:datatechdc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
  • 2
  • +1
25 Comments
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 375 total points
ID: 39830033
Create a new request through EMC, including all of the names that you require, put that in to the SSL provider's web site. When you get the result, complete the installation in EMC and then enable the services.

If the provider requires the installation of intermediate certificates then install those before completing the request - although if you are using the same provider as last time you may not have to do that step.

http://semb.ee/ssl

Simon.
0
 

Author Comment

by:datatechdc
ID: 39830225
can you tell me where in EMC i go?

Thanks.
0
 
LVL 5

Expert Comment

by:Basheerpt
ID: 39830228
What kind of SSL certificate was there before? UC? You may renew this or request a new one. Keep the expired certificates to see their SAN names before the delete.

Here is the godaddy procedure:
http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:Basheerpt
ID: 39830238
In EMC>Server configuration
0
 

Author Comment

by:datatechdc
ID: 39830279
please see the screenshot attached. this is where i am, how should i backup the settings?
ssl1.png
0
 

Author Comment

by:datatechdc
ID: 39830283
as you can see the certificate is expired so what is the process from here.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39830324
On the right, choose New Exchange certificate and follow the wizard.
Most of what the wizard asked you can ignore, just get to the end where you can enter the host names that you need.
Did you look at the link I provided?

Simon.
0
 

Author Comment

by:datatechdc
ID: 39831356
so i have to issue a new certificate right, not renew the old one?
0
 

Author Comment

by:datatechdc
ID: 39831361
what do i select under exchange configuration. see attached screenshot.
ssl2.png
0
 
LVL 12

Assisted Solution

by:Md. Mojahid
Md. Mojahid earned 125 total points
ID: 39831872
You have to only  generate new SCR  for renew certificate from exchange server then login on your sll certificate account and then generate Sll certificate and apply on exchange.

For more

http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39831913
Renew doesn't always work that well, so generating a new request is always the safest option. If you have used the same provider they will usually extend the expiry time to match the existing one (so if the existing is 16th March 2014 and you bought two years, it would be 16th March 2016 even if you did the certificate now).

Simon.
0
 

Author Comment

by:datatechdc
ID: 39832593
i am going through the process for creating a new certificate. when i get to the screen where it asks for exchange configuration and select services i'm not sure what to select there. please see the attached screenshot.

what should i select?
ssl2.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39832838
It doesn't matter what you enter in there. The wizard is just designed to help you get the correct results. Therefore just click next and until you get to the point where you can add and adjust the names on the certificate.

Remember that you cannot put internal names on a certificate that expires after November 2015 and Exchange will try and make the common name the root domain name (example.com) whereas most people want it to be a specific host name (host.example.com).

Simon.
0
 

Author Comment

by:datatechdc
ID: 39832954
Thanks, it looks like everything is good to go now.

is there a way i can test to make sure the certificate is working correctly so i dont run into any email flow issues?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833052
The Microsoft test site at http://exrca.com will confirm if there is a problem or not.

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833091
i just logged into a user account and opened outlook. i got an error for the certificate. please see the attached screenshot.
ssl5.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833275
Have you changed the URLs within Exchange to match the certificate?

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833309
please see the attached screenshot. the names are different.

which one should i change?

i still want users to be able to access OWA from https://mail.datatechdc.com/owa

Thanks.
ssl6.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833354
Personally I wouldn't use the .local anywhere - do you have a split DNS system in place so that the external host name resolves internally? If so then just use the same host name for internal and external.

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833504
i dont have a split DNS.

i dont think i should change this, it was not changed before. how does this affect the certificate error?
0
 

Author Comment

by:datatechdc
ID: 39835655
i had someone look at this and they are concerned that the new certificate does not have a O=. please see the attached screenshot. i think this may be the issue.

the top line is the expired cert and middle line is the new one.
ssl8.png
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 375 total points
ID: 39838339
If you don't have a split DNS, then you are going to have problems.
You cannot have internal names on the SSL certificate, so the trusted certificate will only have external names on it.
DNS resolution for your external host names internally will not always work correctly.
That fact that you didn't have one before means nothing - you need to have one now.

Therefore setup a split DNS system so that your external host name resolves internally.
http://semb.ee/splitdns then configure Exchange to use the external host name everywhere.
http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:datatechdc
ID: 39839034
would it be easier for me to cancel this certificate and try to renew the old one?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 375 total points
ID: 39840323
No, because the names you had on the old one will be removed because of the new guidelines. You will have to setup a split DNS system at some point, may as well do it now and setup Exchange correctly to use it.

Simon.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question