?
Solved

setting up new SSL certificate exchange server

Posted on 2014-02-03
25
Medium Priority
?
361 Views
Last Modified: 2014-02-18
i have an exchange 2010 server running on server 2008. the SSL certificate expired so i purchased a new one.

how should i go about replacing the SSL certificate?

Thanks.
0
Comment
Question by:datatechdc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 9
  • 2
  • +1
25 Comments
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 1500 total points
ID: 39830033
Create a new request through EMC, including all of the names that you require, put that in to the SSL provider's web site. When you get the result, complete the installation in EMC and then enable the services.

If the provider requires the installation of intermediate certificates then install those before completing the request - although if you are using the same provider as last time you may not have to do that step.

http://semb.ee/ssl

Simon.
0
 

Author Comment

by:datatechdc
ID: 39830225
can you tell me where in EMC i go?

Thanks.
0
 
LVL 5

Expert Comment

by:Basheerpt
ID: 39830228
What kind of SSL certificate was there before? UC? You may renew this or request a new one. Keep the expired certificates to see their SAN names before the delete.

Here is the godaddy procedure:
http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 5

Expert Comment

by:Basheerpt
ID: 39830238
In EMC>Server configuration
0
 

Author Comment

by:datatechdc
ID: 39830279
please see the screenshot attached. this is where i am, how should i backup the settings?
ssl1.png
0
 

Author Comment

by:datatechdc
ID: 39830283
as you can see the certificate is expired so what is the process from here.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39830324
On the right, choose New Exchange certificate and follow the wizard.
Most of what the wizard asked you can ignore, just get to the end where you can enter the host names that you need.
Did you look at the link I provided?

Simon.
0
 

Author Comment

by:datatechdc
ID: 39831356
so i have to issue a new certificate right, not renew the old one?
0
 

Author Comment

by:datatechdc
ID: 39831361
what do i select under exchange configuration. see attached screenshot.
ssl2.png
0
 
LVL 12

Assisted Solution

by:Md. Mojahid
Md. Mojahid earned 500 total points
ID: 39831872
You have to only  generate new SCR  for renew certificate from exchange server then login on your sll certificate account and then generate Sll certificate and apply on exchange.

For more

http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39831913
Renew doesn't always work that well, so generating a new request is always the safest option. If you have used the same provider they will usually extend the expiry time to match the existing one (so if the existing is 16th March 2014 and you bought two years, it would be 16th March 2016 even if you did the certificate now).

Simon.
0
 

Author Comment

by:datatechdc
ID: 39832593
i am going through the process for creating a new certificate. when i get to the screen where it asks for exchange configuration and select services i'm not sure what to select there. please see the attached screenshot.

what should i select?
ssl2.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39832838
It doesn't matter what you enter in there. The wizard is just designed to help you get the correct results. Therefore just click next and until you get to the point where you can add and adjust the names on the certificate.

Remember that you cannot put internal names on a certificate that expires after November 2015 and Exchange will try and make the common name the root domain name (example.com) whereas most people want it to be a specific host name (host.example.com).

Simon.
0
 

Author Comment

by:datatechdc
ID: 39832954
Thanks, it looks like everything is good to go now.

is there a way i can test to make sure the certificate is working correctly so i dont run into any email flow issues?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833052
The Microsoft test site at http://exrca.com will confirm if there is a problem or not.

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833091
i just logged into a user account and opened outlook. i got an error for the certificate. please see the attached screenshot.
ssl5.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833275
Have you changed the URLs within Exchange to match the certificate?

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833309
please see the attached screenshot. the names are different.

which one should i change?

i still want users to be able to access OWA from https://mail.datatechdc.com/owa

Thanks.
ssl6.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833354
Personally I wouldn't use the .local anywhere - do you have a split DNS system in place so that the external host name resolves internally? If so then just use the same host name for internal and external.

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833504
i dont have a split DNS.

i dont think i should change this, it was not changed before. how does this affect the certificate error?
0
 

Author Comment

by:datatechdc
ID: 39835655
i had someone look at this and they are concerned that the new certificate does not have a O=. please see the attached screenshot. i think this may be the issue.

the top line is the expired cert and middle line is the new one.
ssl8.png
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 1500 total points
ID: 39838339
If you don't have a split DNS, then you are going to have problems.
You cannot have internal names on the SSL certificate, so the trusted certificate will only have external names on it.
DNS resolution for your external host names internally will not always work correctly.
That fact that you didn't have one before means nothing - you need to have one now.

Therefore setup a split DNS system so that your external host name resolves internally.
http://semb.ee/splitdns then configure Exchange to use the external host name everywhere.
http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:datatechdc
ID: 39839034
would it be easier for me to cancel this certificate and try to renew the old one?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 1500 total points
ID: 39840323
No, because the names you had on the old one will be removed because of the new guidelines. You will have to setup a split DNS system at some point, may as well do it now and setup Exchange correctly to use it.

Simon.
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question