Generating a Certificate Signing Request (CSR) - Exchange Server 2010

We are trying to generate a Certificate Signing Request for an Exchange Server 2010. We are not changing any settings and we are trying to keep everything the same but the company that will issue the Certificate stated that you cannot use the same CSR information because it is Microsoft.  

We are not sure of the services and settings configuration. Is there anyway to look up or retrieve the current configuration on the existing server so we can get everything right?
regsampAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alan HardistyCo-OwnerCommented:
You can use the existing CSR happily - as long as it doesn't contain any .local domain names in it.

If there are - remove them and get the certificate.

Once download, you will have to install it, fix the Private Key, then enable it.

Who is the certificate company?

Alan
0
regsampAuthor Commented:
It is GoDaddy.com and they are saying that we cannot use the existing CSR even though they have an option for it when requesting the CSR on their site. It just looks like unicode when I look at it. Where is the local domain names?
0
regsampAuthor Commented:
untitled.JPG
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

becraigCommented:
Since there is absolutely nothing that will break you by creating a new CSR I would say just go ahead and generate a new one.

Steps to generate a new CSR:
Here are the go-daddy step by step instructions
https://support.godaddy.com/help/article/6086/generating-a-certificate-signing-request-csr-exchange-server-2010

Here are the digicert instructions:
https://www.digicert.com/csr-creation-microsoft-exchange-2010.htm
0
regsampAuthor Commented:
I was under the impression if we don't list the right services then we can have issues with people who use their smart phones to get email or the webaccess sight? Is this not true?
0
becraigCommented:
No issues with any services.
Once you assign the certificate correctly that is all that you need.

The concept is the certificate will be installed in the local certificate store on the server in question and you will assign it to the required services.
0
regsampAuthor Commented:
But how do we validate the local domain names and what services are existing on the current certificate so we can match it up? We have not done this in years and we want to make sure we do it right. We have not changed anything so if we can just match the information we should be okay.
0
becraigCommented:
Ok so if you need to know what the current internal configs are, simply run the below commands:
Get-ActiveSyncVirtualDirectory   | ft server,*lur* -AutoSize
Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize
Get-ClientAccessServer           | ft name,  *lur* -AutoSize
Get-EcpVirtualDirectory          | ft server,*lur* -AutoSize
Get-OabVirtualDirectory          | ft server,*lur* -AutoSize
Get-OwaVirtualDirectory          | ft server,*lur* -AutoSize
Get-WebServicesVirtualDirectory  | ft server,*lur* –AutoSize

These will give you the internal and external URls you will then have to update any internal ".local" values to match the .com values and also create an internal dns record to point a .com record to your internal  server IP address.

https://exchangemaster.wordpress.com/tag/split-dns/


Also a previously answered question to help you if any actual changes are needed.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28410114.html
0
Alan HardistyCo-OwnerCommented:
What you are seeing in the CSR request is encrypted.  Click next and it will show you the names included in old CSR.

Edit those to remove any .local names and request the certificate.

You can change the config of Exchange to get it to look to the public (external) FQDN not the internal FQDN by running the following commands in the Exchange Management Shell:

Set-AutodiscoverVirtualDirectory -Identity * -internalurl “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-ClientAccessServer -Identity * -AutodiscoverServiceInternalUri “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory -Identity * -internalurl “https://mail.domain.com/EWS/Exchange.asmx”
Set-oabvirtualdirectory -Identity * -internalurl “https://mail.domain.com/oab”
Set-owavirtualdirectory -Identity * -internalurl “https://mail.domain.com/owa”
Set-ecpvirtualdirectory -Identity * -internalurl “https://mail.domain.com/ecp”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"

Just change mail.domain.com to an FQDN included in your SSL certificate.

Alan
0
regsampAuthor Commented:
"What you are seeing in the CSR request is encrypted.  Click next and it will show you the names included in old CSR."   When I do this it does not show the names included in the CSR.
0
becraigCommented:
Again let me reiterate, creating a NEW CSR has ABSOLUTELY NO IMPACT on anything.

You can get the current urls from the actual certificate itself by looking at the subject / Subject alternative names and simply follow the go-daddy instructions.
Or you can alternatively use the commands I gave you above to get the external url values to be included in the new CSR.
0
regsampAuthor Commented:
"You can get the current urls from the actual certificate itself by looking at the subject / Subject alternative names and simply follow the go-daddy instructions."  But where is this?  I am also using the commands to try and see.
0
regsampAuthor Commented:
I got them but I still don't know how to tell which services are running in connection and if they are with which URL. For example POP/IMAP, UMS, Hub Transport, Legacy, ect.
0
Alan HardistyCo-OwnerCommented:
On the screen after the CSR encrypted info you should see the Subject Alternative Names.

Those are the names included in the existing CSR.
0
regsampAuthor Commented:
And if we want to keep them can't we just leave them there as we want to use the same?  GoDaddy is also saying we cannot use the previous CSR even though they have that option
0
Alan HardistyCo-OwnerCommented:
If the previous CSR contains .local names then you can use the CSR and then remove the .local names.

I regularly buy certs from GoDaddy for customers and have regularly re-used previous CSR's without a problem.
0
regsampAuthor Commented:
But the new CSR can have the previous .local names because they are all the same. We can use the same CSR and we won't have to change the key or anything when we get our Cert?
0
becraigCommented:
You will not be able to get a new cert with the .local names, as Alan indicated above if you want to re-use the csr continue the wizard and change the *.local names to match the other external url... e.g. mail.xxx.com


Once you have the new certificate, all you will have to do it runn a certutil -repairstor <serialnumber>
0
Alan HardistyCo-OwnerCommented:
You should be able to get a 1 year cert with .local names included, but any cert that expires after the 1st Nov 2015 won't be issued with .local names in it.

Alan
0
regsampAuthor Commented:
I am confused by what is the .local names. All I have listed under the CSR is Subject Alt Names - 0 of 5 domains remaining. I am not seeing anything local and we are not changing any names at all.
0
Alan HardistyCo-OwnerCommented:
0 of 5 remaining says you have 5 names included in the certificate.

It should show you the Subject Alternate Names - make sure you explore the whole page in your browser or use a different browser as you may see something that's missing in a different one.

I use Chrome and they show up happily in there.
0
becraigCommented:
If you have no *.local names then you can simply proceed to re-use your CSR and then do the certutil repairstore once you have the new certificate.
0
Alan HardistyCo-OwnerCommented:
The .local names are usually servername.internaldomain.local (assuming your internal domain name ends with a .local suffix).
0
regsampAuthor Commented:
There are no .local names and the 5 names being used are the exact ones we want as they are the same from last time. What is this? "certutil repairstore once you have the new certificate.

And are you sure we can just check the use previous csr and then just change the key as I have talked to GoDaddy on the phone and they are insisting you cannot do this with Exchange 2010?
0
regsampAuthor Commented:
We don't have anything with a .local suffix
0
Simon Butler (Sembee)ConsultantCommented:
To get a certificate request completed you are going to need a pending request.
If you don't have a pending request then you cannot complete the certificate when it arrives from the vendor.

If you already have a certificate with the relevant settings, just right click on it and choose Renew Certificate. That will generate a new Pending Request and CSR, with all of the same settings as the original certificate.

Although I do think you are making this more difficult than it needs to be. So you need a CSR? There is a wizard to step through, which you can ignore most of the steps to get to the point where you enter the URLs. Enter what you need (mail.example.com, Autodiscover.example.com), click next, enter the company information, job done.

Simon.
0
regsampAuthor Commented:
I just need a CSR and I am just trying to keep the ending certificate result as close to what we have now. I am getting conflicting news that we have to create a new CSR request from GoDaddy and others saying I can just use the previous CSR, change the key and we should be good to go. I am probably making this more difficult then it is. We have not done it for three years so it is something you just forget.
0
becraigCommented:
Ok so before you get confused any further, here are good instructions to create a renewal.

Just upload the CSR that you generate to Go-Daddy and complete:
https://www.digicert.com/ssl-certificate-renewal-exchange-2010.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
regsampAuthor Commented:
Okay, thank you. Let me take a look at this.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.