[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Exchange 2010/OWA/SSL cert update questions

Posted on 2014-04-17
3
Medium Priority
?
795 Views
Last Modified: 2014-04-18
Hi, all!  Infrastructure consists of an Exchange 2010 cluster (3 MB servers, 2 CAS servers in one location, one MB & CAS in another) with an OWA install sitting behind a Barracuda load balancer.  Config has been working fine for years, no problems, cert & OWA working perfectly.

Recently rekeyed our UCC SSL cert (GoDaddy).  SANs on certificate still set for our infrastructure, no DNS/AD changes, no hardware changes.  Installed the replacement cert on our IIS server, but OWA access now throwing errors (certificate revocation in browsers).  We can shut off cert revocation checks in IE and Firefox to ignore the issue, but that's not the question at the moment.

My question is about the process to update the cert, and whether I should expect any cert chain issues from the update.  The plan is to update the cert on the two CAS servers in the main office (IIS/OWA server already has updated cert installed; root web works fine [all green]), the remote CAS server, and our load balancer tonite, then set the services on the cert from the Exchange Management Console.  I'm fairly certain the errors being thrown now are because the cert on the OWA/IIS box doesn't match the cert on the CAS servers, so it's throwing an error (please correct me if my assumption is wrong).  I plan to import the .pfx file into the CAS servers and load balancer; is there a step that I'm missing in the process here, and since the configuration originally has been working correctly and the root CA hasn't changed, is this going to be a quick and dirty change, or should I expect other issues that I haven't foreseen?  As I mentioned, this was a re-key, and not a revocation/new cert.  My concern is that with the re-key something critical (like a correct certificate chain?) may have changed as a result of the certificate change.

Any thoughts and suggestions from someone who's been through this would be appreciated.  I'll be importing the re-keyed cert tonite.

Thanks!
Steve
0
Comment
Question by:Steve Bottoms
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 400 total points
ID: 40008306
When a certificate gets rekeyed the old one gets revoked after a period of time. It looks like you have already passed your grace period to get all copies of your certificate replaced. You should be fine once you import the new certificate and private key into all systems and then make it the active certificate. The intermediate certificates should not have changed. We just went through this with GoDaddy certificate due to Heartbleed vulnerability.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 400 total points
ID: 40008352
GoDaddy have recently changed the intermediate certificate for new certificate requests. Therefore if you have had your certificate replaced you should check that you have the NEW intermediate certificate on the servers.

Simon.
0
 

Author Closing Comment

by:Steve Bottoms
ID: 40008712
Thanks for your thoughts, guys!  It took about 20 minutes before the change "took" and everything was working again, but yeah, there were no gotchas that I came across.

Thanks for helping with the feedback!

Steve
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question