Solved

Exchange 2010/OWA/SSL cert update questions

Posted on 2014-04-17
3
759 Views
Last Modified: 2014-04-18
Hi, all!  Infrastructure consists of an Exchange 2010 cluster (3 MB servers, 2 CAS servers in one location, one MB & CAS in another) with an OWA install sitting behind a Barracuda load balancer.  Config has been working fine for years, no problems, cert & OWA working perfectly.

Recently rekeyed our UCC SSL cert (GoDaddy).  SANs on certificate still set for our infrastructure, no DNS/AD changes, no hardware changes.  Installed the replacement cert on our IIS server, but OWA access now throwing errors (certificate revocation in browsers).  We can shut off cert revocation checks in IE and Firefox to ignore the issue, but that's not the question at the moment.

My question is about the process to update the cert, and whether I should expect any cert chain issues from the update.  The plan is to update the cert on the two CAS servers in the main office (IIS/OWA server already has updated cert installed; root web works fine [all green]), the remote CAS server, and our load balancer tonite, then set the services on the cert from the Exchange Management Console.  I'm fairly certain the errors being thrown now are because the cert on the OWA/IIS box doesn't match the cert on the CAS servers, so it's throwing an error (please correct me if my assumption is wrong).  I plan to import the .pfx file into the CAS servers and load balancer; is there a step that I'm missing in the process here, and since the configuration originally has been working correctly and the root CA hasn't changed, is this going to be a quick and dirty change, or should I expect other issues that I haven't foreseen?  As I mentioned, this was a re-key, and not a revocation/new cert.  My concern is that with the re-key something critical (like a correct certificate chain?) may have changed as a result of the certificate change.

Any thoughts and suggestions from someone who's been through this would be appreciated.  I'll be importing the re-keyed cert tonite.

Thanks!
Steve
0
Comment
Question by:Steve Bottoms
3 Comments
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 100 total points
ID: 40008306
When a certificate gets rekeyed the old one gets revoked after a period of time. It looks like you have already passed your grace period to get all copies of your certificate replaced. You should be fine once you import the new certificate and private key into all systems and then make it the active certificate. The intermediate certificates should not have changed. We just went through this with GoDaddy certificate due to Heartbleed vulnerability.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 100 total points
ID: 40008352
GoDaddy have recently changed the intermediate certificate for new certificate requests. Therefore if you have had your certificate replaced you should check that you have the NEW intermediate certificate on the servers.

Simon.
0
 

Author Closing Comment

by:Steve Bottoms
ID: 40008712
Thanks for your thoughts, guys!  It took about 20 minutes before the change "took" and everything was working again, but yeah, there were no gotchas that I came across.

Thanks for helping with the feedback!

Steve
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now