[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Need help with SSL Certificates on Exchange 2007 (SBS 2008)

Posted on 2014-03-09
10
Medium Priority
?
501 Views
Last Modified: 2014-03-09
Hello,

I have a client who has a quarterly PCI Compliance assessment done and right now the server is not compliant. This picture is from the PCI Compliance company and was the security risk they discovered  PCI Compliance Message
I'm trying to clean up the SSL Certs but I'm not very experienced with them. When I looks at all of the certificates on the Server itself (using Certificates MMC Snap-in), it shows all of these certificates. Certificates listed in the Certificates MMC
Then when I run "Get-ExchangeCertifcates" from the Exchange Shell, i get the following results. Results from the Get-ExchangeCertificates command in Exchange Shell
We are using a GoDaddy cert that should cover everything but it doesn't look like the certificates are installed properly.

Any advice on how to clean this up and to resolve the issue with the PCI Compliance?

Thanks,
0
Comment
Question by:bhodge10
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 60

Accepted Solution

by:
Cliff Galiher earned 2000 total points
ID: 39916494
This happens when you don't use the SBS wizard to install certificates. Since SBS runs more than just exchange, there are several places that the certificate has to be bound to, and exchange walkthroughs on the web don't cover the non-exchange bits. SBS's wizard was written to cover ALL of those pieces.

Simply run the SBS wizard. I'd recommend generating a new CAR and then using that to "rekey" your SBS certificate. Rekeying is free and avoids any mismatched public/private key issues.
0
 
LVL 8

Expert Comment

by:Esteban Blanco
ID: 39916496
I can help you but explaining over EE may be difficult for me.  I wish I could do a call/remote support.  I have done PCI and certificate management many times.

Be sure that all your websites and Exchange have the latest certificate.  If you are using any type of load balancer, also ensure that the certs are applied there.  You may need OpenSSL to split the certs open.

Every certificate has to have the proper chain (certificate authority, intermediate and the cert itself).  In Go Daddy's website, you should be able to download the CA, IC and the cert and install them using that very .mmc you have.

Let me know if that makes sense what I am saying.
0
 

Author Comment

by:bhodge10
ID: 39916497
In the past, I've tried running the SBS Wizard but it doesn't show the Godaddy cert even after doing an import.

Do I generate the new CAR from the wizard as well?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 8

Expert Comment

by:Esteban Blanco
ID: 39916503
OH SBS!  YES!  You have to generate everything from SBS's wizard.  Then you should be able to get the certificates installed properly.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 39916504
The import issue is often because of mismatched keys. Hence the suggestion to generate a new CSR (not CAR. That was a typo) and rekey. Then it isn't an import, but a new matched certificate.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 39916505
And yes, generate the new CSR in the wizard.
0
 

Author Comment

by:bhodge10
ID: 39916512
Ok, I've generated the new CSR and completed the wizard. How do I check to see if the new Cert is covering everything and is there a way to clean up all of the extra certs? Is it safe to just delete every certificate other than the newly generated one?
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 39916515
No. Some of the certs are internal and necessary. I wouldn't delete anything. GoDaddy will revoke certs they've rekeyed so no worries there. As far as checking....if the wizard completed, rescan.
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 39916611
a good place to check your site is https://www.ssllabs.com
0
 

Author Closing Comment

by:bhodge10
ID: 39916619
This was an issue I was dealing with for awhile now and with your help, the server is now PCI compliant.

Thanks!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Suggested Courses
Course of the Month19 days, 18 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question