Solved

Generating a Certificate Signing Request (CSR) - Exchange Server 2010

Posted on 2014-09-09
29
369 Views
Last Modified: 2014-09-10
We are trying to generate a Certificate Signing Request for an Exchange Server 2010. We are not changing any settings and we are trying to keep everything the same but the company that will issue the Certificate stated that you cannot use the same CSR information because it is Microsoft.  

We are not sure of the services and settings configuration. Is there anyway to look up or retrieve the current configuration on the existing server so we can get everything right?
0
Comment
Question by:regsamp
  • 14
  • 7
  • 7
  • +1
29 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40313041
You can use the existing CSR happily - as long as it doesn't contain any .local domain names in it.

If there are - remove them and get the certificate.

Once download, you will have to install it, fix the Private Key, then enable it.

Who is the certificate company?

Alan
0
 

Author Comment

by:regsamp
ID: 40313056
It is GoDaddy.com and they are saying that we cannot use the existing CSR even though they have an option for it when requesting the CSR on their site. It just looks like unicode when I look at it. Where is the local domain names?
0
 

Author Comment

by:regsamp
ID: 40313061
untitled.JPG
0
 
LVL 28

Expert Comment

by:becraig
ID: 40313062
Since there is absolutely nothing that will break you by creating a new CSR I would say just go ahead and generate a new one.

Steps to generate a new CSR:
Here are the go-daddy step by step instructions
https://support.godaddy.com/help/article/6086/generating-a-certificate-signing-request-csr-exchange-server-2010

Here are the digicert instructions:
https://www.digicert.com/csr-creation-microsoft-exchange-2010.htm
0
 

Author Comment

by:regsamp
ID: 40313066
I was under the impression if we don't list the right services then we can have issues with people who use their smart phones to get email or the webaccess sight? Is this not true?
0
 
LVL 28

Expert Comment

by:becraig
ID: 40313094
No issues with any services.
Once you assign the certificate correctly that is all that you need.

The concept is the certificate will be installed in the local certificate store on the server in question and you will assign it to the required services.
0
 

Author Comment

by:regsamp
ID: 40313103
But how do we validate the local domain names and what services are existing on the current certificate so we can match it up? We have not done this in years and we want to make sure we do it right. We have not changed anything so if we can just match the information we should be okay.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40313127
Ok so if you need to know what the current internal configs are, simply run the below commands:
Get-ActiveSyncVirtualDirectory   | ft server,*lur* -AutoSize
Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize
Get-ClientAccessServer           | ft name,  *lur* -AutoSize
Get-EcpVirtualDirectory          | ft server,*lur* -AutoSize
Get-OabVirtualDirectory          | ft server,*lur* -AutoSize
Get-OwaVirtualDirectory          | ft server,*lur* -AutoSize
Get-WebServicesVirtualDirectory  | ft server,*lur* –AutoSize

These will give you the internal and external URls you will then have to update any internal ".local" values to match the .com values and also create an internal dns record to point a .com record to your internal  server IP address.

https://exchangemaster.wordpress.com/tag/split-dns/


Also a previously answered question to help you if any actual changes are needed.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28410114.html
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 166 total points
ID: 40313131
What you are seeing in the CSR request is encrypted.  Click next and it will show you the names included in old CSR.

Edit those to remove any .local names and request the certificate.

You can change the config of Exchange to get it to look to the public (external) FQDN not the internal FQDN by running the following commands in the Exchange Management Shell:

Set-AutodiscoverVirtualDirectory -Identity * -internalurl “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-ClientAccessServer -Identity * -AutodiscoverServiceInternalUri “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory -Identity * -internalurl “https://mail.domain.com/EWS/Exchange.asmx”
Set-oabvirtualdirectory -Identity * -internalurl “https://mail.domain.com/oab”
Set-owavirtualdirectory -Identity * -internalurl “https://mail.domain.com/owa”
Set-ecpvirtualdirectory -Identity * -internalurl “https://mail.domain.com/ecp”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"

Just change mail.domain.com to an FQDN included in your SSL certificate.

Alan
0
 

Author Comment

by:regsamp
ID: 40313142
"What you are seeing in the CSR request is encrypted.  Click next and it will show you the names included in old CSR."   When I do this it does not show the names included in the CSR.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40313152
Again let me reiterate, creating a NEW CSR has ABSOLUTELY NO IMPACT on anything.

You can get the current urls from the actual certificate itself by looking at the subject / Subject alternative names and simply follow the go-daddy instructions.
Or you can alternatively use the commands I gave you above to get the external url values to be included in the new CSR.
0
 

Author Comment

by:regsamp
ID: 40313156
"You can get the current urls from the actual certificate itself by looking at the subject / Subject alternative names and simply follow the go-daddy instructions."  But where is this?  I am also using the commands to try and see.
0
 

Author Comment

by:regsamp
ID: 40313173
I got them but I still don't know how to tell which services are running in connection and if they are with which URL. For example POP/IMAP, UMS, Hub Transport, Legacy, ect.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40313174
On the screen after the CSR encrypted info you should see the Subject Alternative Names.

Those are the names included in the existing CSR.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:regsamp
ID: 40313203
And if we want to keep them can't we just leave them there as we want to use the same?  GoDaddy is also saying we cannot use the previous CSR even though they have that option
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40313247
If the previous CSR contains .local names then you can use the CSR and then remove the .local names.

I regularly buy certs from GoDaddy for customers and have regularly re-used previous CSR's without a problem.
0
 

Author Comment

by:regsamp
ID: 40313259
But the new CSR can have the previous .local names because they are all the same. We can use the same CSR and we won't have to change the key or anything when we get our Cert?
0
 
LVL 28

Expert Comment

by:becraig
ID: 40313273
You will not be able to get a new cert with the .local names, as Alan indicated above if you want to re-use the csr continue the wizard and change the *.local names to match the other external url... e.g. mail.xxx.com


Once you have the new certificate, all you will have to do it runn a certutil -repairstor <serialnumber>
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40313286
You should be able to get a 1 year cert with .local names included, but any cert that expires after the 1st Nov 2015 won't be issued with .local names in it.

Alan
0
 

Author Comment

by:regsamp
ID: 40313289
I am confused by what is the .local names. All I have listed under the CSR is Subject Alt Names - 0 of 5 domains remaining. I am not seeing anything local and we are not changing any names at all.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40313296
0 of 5 remaining says you have 5 names included in the certificate.

It should show you the Subject Alternate Names - make sure you explore the whole page in your browser or use a different browser as you may see something that's missing in a different one.

I use Chrome and they show up happily in there.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40313297
If you have no *.local names then you can simply proceed to re-use your CSR and then do the certutil repairstore once you have the new certificate.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40313299
The .local names are usually servername.internaldomain.local (assuming your internal domain name ends with a .local suffix).
0
 

Author Comment

by:regsamp
ID: 40313309
There are no .local names and the 5 names being used are the exact ones we want as they are the same from last time. What is this? "certutil repairstore once you have the new certificate.

And are you sure we can just check the use previous csr and then just change the key as I have talked to GoDaddy on the phone and they are insisting you cannot do this with Exchange 2010?
0
 

Author Comment

by:regsamp
ID: 40313315
We don't have anything with a .local suffix
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 167 total points
ID: 40313388
To get a certificate request completed you are going to need a pending request.
If you don't have a pending request then you cannot complete the certificate when it arrives from the vendor.

If you already have a certificate with the relevant settings, just right click on it and choose Renew Certificate. That will generate a new Pending Request and CSR, with all of the same settings as the original certificate.

Although I do think you are making this more difficult than it needs to be. So you need a CSR? There is a wizard to step through, which you can ignore most of the steps to get to the point where you enter the URLs. Enter what you need (mail.example.com, Autodiscover.example.com), click next, enter the company information, job done.

Simon.
0
 

Author Comment

by:regsamp
ID: 40313414
I just need a CSR and I am just trying to keep the ending certificate result as close to what we have now. I am getting conflicting news that we have to create a new CSR request from GoDaddy and others saying I can just use the previous CSR, change the key and we should be good to go. I am probably making this more difficult then it is. We have not done it for three years so it is something you just forget.
0
 
LVL 28

Accepted Solution

by:
becraig earned 167 total points
ID: 40313422
Ok so before you get confused any further, here are good instructions to create a renewal.

Just upload the CSR that you generate to Go-Daddy and complete:
https://www.digicert.com/ssl-certificate-renewal-exchange-2010.htm
0
 

Author Comment

by:regsamp
ID: 40313455
Okay, thank you. Let me take a look at this.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now