Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 504
  • Last Modified:

Need help with SSL Certificates on Exchange 2007 (SBS 2008)

Hello,

I have a client who has a quarterly PCI Compliance assessment done and right now the server is not compliant. This picture is from the PCI Compliance company and was the security risk they discovered  PCI Compliance Message
I'm trying to clean up the SSL Certs but I'm not very experienced with them. When I looks at all of the certificates on the Server itself (using Certificates MMC Snap-in), it shows all of these certificates. Certificates listed in the Certificates MMC
Then when I run "Get-ExchangeCertifcates" from the Exchange Shell, i get the following results. Results from the Get-ExchangeCertificates command in Exchange Shell
We are using a GoDaddy cert that should cover everything but it doesn't look like the certificates are installed properly.

Any advice on how to clean this up and to resolve the issue with the PCI Compliance?

Thanks,
0
bhodge10
Asked:
bhodge10
  • 4
  • 3
  • 2
  • +1
1 Solution
 
Cliff GaliherCommented:
This happens when you don't use the SBS wizard to install certificates. Since SBS runs more than just exchange, there are several places that the certificate has to be bound to, and exchange walkthroughs on the web don't cover the non-exchange bits. SBS's wizard was written to cover ALL of those pieces.

Simply run the SBS wizard. I'd recommend generating a new CAR and then using that to "rekey" your SBS certificate. Rekeying is free and avoids any mismatched public/private key issues.
0
 
Esteban BlancoPresidentCommented:
I can help you but explaining over EE may be difficult for me.  I wish I could do a call/remote support.  I have done PCI and certificate management many times.

Be sure that all your websites and Exchange have the latest certificate.  If you are using any type of load balancer, also ensure that the certs are applied there.  You may need OpenSSL to split the certs open.

Every certificate has to have the proper chain (certificate authority, intermediate and the cert itself).  In Go Daddy's website, you should be able to download the CA, IC and the cert and install them using that very .mmc you have.

Let me know if that makes sense what I am saying.
0
 
bhodge10Author Commented:
In the past, I've tried running the SBS Wizard but it doesn't show the Godaddy cert even after doing an import.

Do I generate the new CAR from the wizard as well?
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Esteban BlancoPresidentCommented:
OH SBS!  YES!  You have to generate everything from SBS's wizard.  Then you should be able to get the certificates installed properly.
0
 
Cliff GaliherCommented:
The import issue is often because of mismatched keys. Hence the suggestion to generate a new CSR (not CAR. That was a typo) and rekey. Then it isn't an import, but a new matched certificate.
0
 
Cliff GaliherCommented:
And yes, generate the new CSR in the wizard.
0
 
bhodge10Author Commented:
Ok, I've generated the new CSR and completed the wizard. How do I check to see if the new Cert is covering everything and is there a way to clean up all of the extra certs? Is it safe to just delete every certificate other than the newly generated one?
0
 
Cliff GaliherCommented:
No. Some of the certs are internal and necessary. I wouldn't delete anything. GoDaddy will revoke certs they've rekeyed so no worries there. As far as checking....if the wizard completed, rescan.
0
 
David Johnson, CD, MVPOwnerCommented:
a good place to check your site is https://www.ssllabs.com
0
 
bhodge10Author Commented:
This was an issue I was dealing with for awhile now and with your help, the server is now PCI compliant.

Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now