Solved

Exchange 2010/OWA/SSL cert update questions

Posted on 2014-04-17
3
781 Views
Last Modified: 2014-04-18
Hi, all!  Infrastructure consists of an Exchange 2010 cluster (3 MB servers, 2 CAS servers in one location, one MB & CAS in another) with an OWA install sitting behind a Barracuda load balancer.  Config has been working fine for years, no problems, cert & OWA working perfectly.

Recently rekeyed our UCC SSL cert (GoDaddy).  SANs on certificate still set for our infrastructure, no DNS/AD changes, no hardware changes.  Installed the replacement cert on our IIS server, but OWA access now throwing errors (certificate revocation in browsers).  We can shut off cert revocation checks in IE and Firefox to ignore the issue, but that's not the question at the moment.

My question is about the process to update the cert, and whether I should expect any cert chain issues from the update.  The plan is to update the cert on the two CAS servers in the main office (IIS/OWA server already has updated cert installed; root web works fine [all green]), the remote CAS server, and our load balancer tonite, then set the services on the cert from the Exchange Management Console.  I'm fairly certain the errors being thrown now are because the cert on the OWA/IIS box doesn't match the cert on the CAS servers, so it's throwing an error (please correct me if my assumption is wrong).  I plan to import the .pfx file into the CAS servers and load balancer; is there a step that I'm missing in the process here, and since the configuration originally has been working correctly and the root CA hasn't changed, is this going to be a quick and dirty change, or should I expect other issues that I haven't foreseen?  As I mentioned, this was a re-key, and not a revocation/new cert.  My concern is that with the re-key something critical (like a correct certificate chain?) may have changed as a result of the certificate change.

Any thoughts and suggestions from someone who's been through this would be appreciated.  I'll be importing the re-keyed cert tonite.

Thanks!
Steve
0
Comment
Question by:Steve Bottoms
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 100 total points
ID: 40008306
When a certificate gets rekeyed the old one gets revoked after a period of time. It looks like you have already passed your grace period to get all copies of your certificate replaced. You should be fine once you import the new certificate and private key into all systems and then make it the active certificate. The intermediate certificates should not have changed. We just went through this with GoDaddy certificate due to Heartbleed vulnerability.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 40008352
GoDaddy have recently changed the intermediate certificate for new certificate requests. Therefore if you have had your certificate replaced you should check that you have the NEW intermediate certificate on the servers.

Simon.
0
 

Author Closing Comment

by:Steve Bottoms
ID: 40008712
Thanks for your thoughts, guys!  It took about 20 minutes before the change "took" and everything was working again, but yeah, there were no gotchas that I came across.

Thanks for helping with the feedback!

Steve
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
The advancement in technology has been a great source of betterment and empowerment for the human race, Nevertheless, this is not to say that technology doesn’t have any problems. We are bombarded with constant distractions, whether as an overload o…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question