Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 368
  • Last Modified:

setting up new SSL certificate exchange server

i have an exchange 2010 server running on server 2008. the SSL certificate expired so i purchased a new one.

how should i go about replacing the SSL certificate?

Thanks.
0
datatechdc
Asked:
datatechdc
  • 12
  • 9
  • 2
  • +1
4 Solutions
 
Simon Butler (Sembee)ConsultantCommented:
Create a new request through EMC, including all of the names that you require, put that in to the SSL provider's web site. When you get the result, complete the installation in EMC and then enable the services.

If the provider requires the installation of intermediate certificates then install those before completing the request - although if you are using the same provider as last time you may not have to do that step.

http://semb.ee/ssl

Simon.
0
 
datatechdcAuthor Commented:
can you tell me where in EMC i go?

Thanks.
0
 
BasheerptCommented:
What kind of SSL certificate was there before? UC? You may renew this or request a new one. Keep the expired certificates to see their SAN names before the delete.

Here is the godaddy procedure:
http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
BasheerptCommented:
In EMC>Server configuration
0
 
datatechdcAuthor Commented:
please see the screenshot attached. this is where i am, how should i backup the settings?
ssl1.png
0
 
datatechdcAuthor Commented:
as you can see the certificate is expired so what is the process from here.
0
 
Simon Butler (Sembee)ConsultantCommented:
On the right, choose New Exchange certificate and follow the wizard.
Most of what the wizard asked you can ignore, just get to the end where you can enter the host names that you need.
Did you look at the link I provided?

Simon.
0
 
datatechdcAuthor Commented:
so i have to issue a new certificate right, not renew the old one?
0
 
datatechdcAuthor Commented:
what do i select under exchange configuration. see attached screenshot.
ssl2.png
0
 
Md. MojahidCommented:
You have to only  generate new SCR  for renew certificate from exchange server then login on your sll certificate account and then generate Sll certificate and apply on exchange.

For more

http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
0
 
Simon Butler (Sembee)ConsultantCommented:
Renew doesn't always work that well, so generating a new request is always the safest option. If you have used the same provider they will usually extend the expiry time to match the existing one (so if the existing is 16th March 2014 and you bought two years, it would be 16th March 2016 even if you did the certificate now).

Simon.
0
 
datatechdcAuthor Commented:
i am going through the process for creating a new certificate. when i get to the screen where it asks for exchange configuration and select services i'm not sure what to select there. please see the attached screenshot.

what should i select?
ssl2.png
0
 
Simon Butler (Sembee)ConsultantCommented:
It doesn't matter what you enter in there. The wizard is just designed to help you get the correct results. Therefore just click next and until you get to the point where you can add and adjust the names on the certificate.

Remember that you cannot put internal names on a certificate that expires after November 2015 and Exchange will try and make the common name the root domain name (example.com) whereas most people want it to be a specific host name (host.example.com).

Simon.
0
 
datatechdcAuthor Commented:
Thanks, it looks like everything is good to go now.

is there a way i can test to make sure the certificate is working correctly so i dont run into any email flow issues?
0
 
Simon Butler (Sembee)ConsultantCommented:
The Microsoft test site at http://exrca.com will confirm if there is a problem or not.

Simon.
0
 
datatechdcAuthor Commented:
i just logged into a user account and opened outlook. i got an error for the certificate. please see the attached screenshot.
ssl5.png
0
 
Simon Butler (Sembee)ConsultantCommented:
Have you changed the URLs within Exchange to match the certificate?

http://semb.ee/hostnames

Simon.
0
 
datatechdcAuthor Commented:
please see the attached screenshot. the names are different.

which one should i change?

i still want users to be able to access OWA from https://mail.datatechdc.com/owa

Thanks.
ssl6.png
0
 
Simon Butler (Sembee)ConsultantCommented:
Personally I wouldn't use the .local anywhere - do you have a split DNS system in place so that the external host name resolves internally? If so then just use the same host name for internal and external.

Simon.
0
 
datatechdcAuthor Commented:
i dont have a split DNS.

i dont think i should change this, it was not changed before. how does this affect the certificate error?
0
 
datatechdcAuthor Commented:
i had someone look at this and they are concerned that the new certificate does not have a O=. please see the attached screenshot. i think this may be the issue.

the top line is the expired cert and middle line is the new one.
ssl8.png
0
 
Simon Butler (Sembee)ConsultantCommented:
If you don't have a split DNS, then you are going to have problems.
You cannot have internal names on the SSL certificate, so the trusted certificate will only have external names on it.
DNS resolution for your external host names internally will not always work correctly.
That fact that you didn't have one before means nothing - you need to have one now.

Therefore setup a split DNS system so that your external host name resolves internally.
http://semb.ee/splitdns then configure Exchange to use the external host name everywhere.
http://semb.ee/hostnames

Simon.
0
 
datatechdcAuthor Commented:
would it be easier for me to cancel this certificate and try to renew the old one?
0
 
Simon Butler (Sembee)ConsultantCommented:
No, because the names you had on the old one will be removed because of the new guidelines. You will have to setup a split DNS system at some point, may as well do it now and setup Exchange correctly to use it.

Simon.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 12
  • 9
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now