?
Solved

Exchange 2010/OWA/SSL cert update questions

Posted on 2014-04-17
3
Medium Priority
?
785 Views
Last Modified: 2014-04-18
Hi, all!  Infrastructure consists of an Exchange 2010 cluster (3 MB servers, 2 CAS servers in one location, one MB & CAS in another) with an OWA install sitting behind a Barracuda load balancer.  Config has been working fine for years, no problems, cert & OWA working perfectly.

Recently rekeyed our UCC SSL cert (GoDaddy).  SANs on certificate still set for our infrastructure, no DNS/AD changes, no hardware changes.  Installed the replacement cert on our IIS server, but OWA access now throwing errors (certificate revocation in browsers).  We can shut off cert revocation checks in IE and Firefox to ignore the issue, but that's not the question at the moment.

My question is about the process to update the cert, and whether I should expect any cert chain issues from the update.  The plan is to update the cert on the two CAS servers in the main office (IIS/OWA server already has updated cert installed; root web works fine [all green]), the remote CAS server, and our load balancer tonite, then set the services on the cert from the Exchange Management Console.  I'm fairly certain the errors being thrown now are because the cert on the OWA/IIS box doesn't match the cert on the CAS servers, so it's throwing an error (please correct me if my assumption is wrong).  I plan to import the .pfx file into the CAS servers and load balancer; is there a step that I'm missing in the process here, and since the configuration originally has been working correctly and the root CA hasn't changed, is this going to be a quick and dirty change, or should I expect other issues that I haven't foreseen?  As I mentioned, this was a re-key, and not a revocation/new cert.  My concern is that with the re-key something critical (like a correct certificate chain?) may have changed as a result of the certificate change.

Any thoughts and suggestions from someone who's been through this would be appreciated.  I'll be importing the re-keyed cert tonite.

Thanks!
Steve
0
Comment
Question by:Steve Bottoms
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 400 total points
ID: 40008306
When a certificate gets rekeyed the old one gets revoked after a period of time. It looks like you have already passed your grace period to get all copies of your certificate replaced. You should be fine once you import the new certificate and private key into all systems and then make it the active certificate. The intermediate certificates should not have changed. We just went through this with GoDaddy certificate due to Heartbleed vulnerability.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 400 total points
ID: 40008352
GoDaddy have recently changed the intermediate certificate for new certificate requests. Therefore if you have had your certificate replaced you should check that you have the NEW intermediate certificate on the servers.

Simon.
0
 

Author Closing Comment

by:Steve Bottoms
ID: 40008712
Thanks for your thoughts, guys!  It took about 20 minutes before the change "took" and everything was working again, but yeah, there were no gotchas that I came across.

Thanks for helping with the feedback!

Steve
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question