Solved

Exchange 2010/OWA/SSL cert update questions

Posted on 2014-04-17
3
770 Views
Last Modified: 2014-04-18
Hi, all!  Infrastructure consists of an Exchange 2010 cluster (3 MB servers, 2 CAS servers in one location, one MB & CAS in another) with an OWA install sitting behind a Barracuda load balancer.  Config has been working fine for years, no problems, cert & OWA working perfectly.

Recently rekeyed our UCC SSL cert (GoDaddy).  SANs on certificate still set for our infrastructure, no DNS/AD changes, no hardware changes.  Installed the replacement cert on our IIS server, but OWA access now throwing errors (certificate revocation in browsers).  We can shut off cert revocation checks in IE and Firefox to ignore the issue, but that's not the question at the moment.

My question is about the process to update the cert, and whether I should expect any cert chain issues from the update.  The plan is to update the cert on the two CAS servers in the main office (IIS/OWA server already has updated cert installed; root web works fine [all green]), the remote CAS server, and our load balancer tonite, then set the services on the cert from the Exchange Management Console.  I'm fairly certain the errors being thrown now are because the cert on the OWA/IIS box doesn't match the cert on the CAS servers, so it's throwing an error (please correct me if my assumption is wrong).  I plan to import the .pfx file into the CAS servers and load balancer; is there a step that I'm missing in the process here, and since the configuration originally has been working correctly and the root CA hasn't changed, is this going to be a quick and dirty change, or should I expect other issues that I haven't foreseen?  As I mentioned, this was a re-key, and not a revocation/new cert.  My concern is that with the re-key something critical (like a correct certificate chain?) may have changed as a result of the certificate change.

Any thoughts and suggestions from someone who's been through this would be appreciated.  I'll be importing the re-keyed cert tonite.

Thanks!
Steve
0
Comment
Question by:Steve Bottoms
3 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 100 total points
ID: 40008306
When a certificate gets rekeyed the old one gets revoked after a period of time. It looks like you have already passed your grace period to get all copies of your certificate replaced. You should be fine once you import the new certificate and private key into all systems and then make it the active certificate. The intermediate certificates should not have changed. We just went through this with GoDaddy certificate due to Heartbleed vulnerability.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 40008352
GoDaddy have recently changed the intermediate certificate for new certificate requests. Therefore if you have had your certificate replaced you should check that you have the NEW intermediate certificate on the servers.

Simon.
0
 

Author Closing Comment

by:Steve Bottoms
ID: 40008712
Thanks for your thoughts, guys!  It took about 20 minutes before the change "took" and everything was working again, but yeah, there were no gotchas that I came across.

Thanks for helping with the feedback!

Steve
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question