Solved

setting up new SSL certificate exchange server

Posted on 2014-02-03
25
353 Views
Last Modified: 2014-02-18
i have an exchange 2010 server running on server 2008. the SSL certificate expired so i purchased a new one.

how should i go about replacing the SSL certificate?

Thanks.
0
Comment
Question by:datatechdc
  • 12
  • 9
  • 2
  • +1
25 Comments
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 375 total points
ID: 39830033
Create a new request through EMC, including all of the names that you require, put that in to the SSL provider's web site. When you get the result, complete the installation in EMC and then enable the services.

If the provider requires the installation of intermediate certificates then install those before completing the request - although if you are using the same provider as last time you may not have to do that step.

http://semb.ee/ssl

Simon.
0
 

Author Comment

by:datatechdc
ID: 39830225
can you tell me where in EMC i go?

Thanks.
0
 
LVL 5

Expert Comment

by:Basheerpt
ID: 39830228
What kind of SSL certificate was there before? UC? You may renew this or request a new one. Keep the expired certificates to see their SAN names before the delete.

Here is the godaddy procedure:
http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
0
 
LVL 5

Expert Comment

by:Basheerpt
ID: 39830238
In EMC>Server configuration
0
 

Author Comment

by:datatechdc
ID: 39830279
please see the screenshot attached. this is where i am, how should i backup the settings?
ssl1.png
0
 

Author Comment

by:datatechdc
ID: 39830283
as you can see the certificate is expired so what is the process from here.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39830324
On the right, choose New Exchange certificate and follow the wizard.
Most of what the wizard asked you can ignore, just get to the end where you can enter the host names that you need.
Did you look at the link I provided?

Simon.
0
 

Author Comment

by:datatechdc
ID: 39831356
so i have to issue a new certificate right, not renew the old one?
0
 

Author Comment

by:datatechdc
ID: 39831361
what do i select under exchange configuration. see attached screenshot.
ssl2.png
0
 
LVL 12

Assisted Solution

by:Md. Mojahid
Md. Mojahid earned 125 total points
ID: 39831872
You have to only  generate new SCR  for renew certificate from exchange server then login on your sll certificate account and then generate Sll certificate and apply on exchange.

For more

http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39831913
Renew doesn't always work that well, so generating a new request is always the safest option. If you have used the same provider they will usually extend the expiry time to match the existing one (so if the existing is 16th March 2014 and you bought two years, it would be 16th March 2016 even if you did the certificate now).

Simon.
0
 

Author Comment

by:datatechdc
ID: 39832593
i am going through the process for creating a new certificate. when i get to the screen where it asks for exchange configuration and select services i'm not sure what to select there. please see the attached screenshot.

what should i select?
ssl2.png
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39832838
It doesn't matter what you enter in there. The wizard is just designed to help you get the correct results. Therefore just click next and until you get to the point where you can add and adjust the names on the certificate.

Remember that you cannot put internal names on a certificate that expires after November 2015 and Exchange will try and make the common name the root domain name (example.com) whereas most people want it to be a specific host name (host.example.com).

Simon.
0
 

Author Comment

by:datatechdc
ID: 39832954
Thanks, it looks like everything is good to go now.

is there a way i can test to make sure the certificate is working correctly so i dont run into any email flow issues?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833052
The Microsoft test site at http://exrca.com will confirm if there is a problem or not.

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833091
i just logged into a user account and opened outlook. i got an error for the certificate. please see the attached screenshot.
ssl5.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833275
Have you changed the URLs within Exchange to match the certificate?

http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833309
please see the attached screenshot. the names are different.

which one should i change?

i still want users to be able to access OWA from https://mail.datatechdc.com/owa

Thanks.
ssl6.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39833354
Personally I wouldn't use the .local anywhere - do you have a split DNS system in place so that the external host name resolves internally? If so then just use the same host name for internal and external.

Simon.
0
 

Author Comment

by:datatechdc
ID: 39833504
i dont have a split DNS.

i dont think i should change this, it was not changed before. how does this affect the certificate error?
0
 

Author Comment

by:datatechdc
ID: 39835655
i had someone look at this and they are concerned that the new certificate does not have a O=. please see the attached screenshot. i think this may be the issue.

the top line is the expired cert and middle line is the new one.
ssl8.png
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 375 total points
ID: 39838339
If you don't have a split DNS, then you are going to have problems.
You cannot have internal names on the SSL certificate, so the trusted certificate will only have external names on it.
DNS resolution for your external host names internally will not always work correctly.
That fact that you didn't have one before means nothing - you need to have one now.

Therefore setup a split DNS system so that your external host name resolves internally.
http://semb.ee/splitdns then configure Exchange to use the external host name everywhere.
http://semb.ee/hostnames

Simon.
0
 

Author Comment

by:datatechdc
ID: 39839034
would it be easier for me to cancel this certificate and try to renew the old one?
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 375 total points
ID: 39840323
No, because the names you had on the old one will be removed because of the new guidelines. You will have to setup a split DNS system at some point, may as well do it now and setup Exchange correctly to use it.

Simon.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates‚Ķ

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now