• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 407
  • Last Modified:

Generating a Certificate Signing Request (CSR) - Exchange Server 2010

We are trying to generate a Certificate Signing Request for an Exchange Server 2010. We are not changing any settings and we are trying to keep everything the same but the company that will issue the Certificate stated that you cannot use the same CSR information because it is Microsoft.  

We are not sure of the services and settings configuration. Is there anyway to look up or retrieve the current configuration on the existing server so we can get everything right?
0
regsamp
Asked:
regsamp
  • 14
  • 7
  • 7
  • +1
3 Solutions
 
Alan HardistyCo-OwnerCommented:
You can use the existing CSR happily - as long as it doesn't contain any .local domain names in it.

If there are - remove them and get the certificate.

Once download, you will have to install it, fix the Private Key, then enable it.

Who is the certificate company?

Alan
0
 
regsampAuthor Commented:
It is GoDaddy.com and they are saying that we cannot use the existing CSR even though they have an option for it when requesting the CSR on their site. It just looks like unicode when I look at it. Where is the local domain names?
0
 
regsampAuthor Commented:
untitled.JPG
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
becraigCommented:
Since there is absolutely nothing that will break you by creating a new CSR I would say just go ahead and generate a new one.

Steps to generate a new CSR:
Here are the go-daddy step by step instructions
https://support.godaddy.com/help/article/6086/generating-a-certificate-signing-request-csr-exchange-server-2010

Here are the digicert instructions:
https://www.digicert.com/csr-creation-microsoft-exchange-2010.htm
0
 
regsampAuthor Commented:
I was under the impression if we don't list the right services then we can have issues with people who use their smart phones to get email or the webaccess sight? Is this not true?
0
 
becraigCommented:
No issues with any services.
Once you assign the certificate correctly that is all that you need.

The concept is the certificate will be installed in the local certificate store on the server in question and you will assign it to the required services.
0
 
regsampAuthor Commented:
But how do we validate the local domain names and what services are existing on the current certificate so we can match it up? We have not done this in years and we want to make sure we do it right. We have not changed anything so if we can just match the information we should be okay.
0
 
becraigCommented:
Ok so if you need to know what the current internal configs are, simply run the below commands:
Get-ActiveSyncVirtualDirectory   | ft server,*lur* -AutoSize
Get-AutodiscoverVirtualDirectory | ft server,*lur* -AutoSize
Get-ClientAccessServer           | ft name,  *lur* -AutoSize
Get-EcpVirtualDirectory          | ft server,*lur* -AutoSize
Get-OabVirtualDirectory          | ft server,*lur* -AutoSize
Get-OwaVirtualDirectory          | ft server,*lur* -AutoSize
Get-WebServicesVirtualDirectory  | ft server,*lur* –AutoSize

These will give you the internal and external URls you will then have to update any internal ".local" values to match the .com values and also create an internal dns record to point a .com record to your internal  server IP address.

https://exchangemaster.wordpress.com/tag/split-dns/


Also a previously answered question to help you if any actual changes are needed.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28410114.html
0
 
Alan HardistyCo-OwnerCommented:
What you are seeing in the CSR request is encrypted.  Click next and it will show you the names included in old CSR.

Edit those to remove any .local names and request the certificate.

You can change the config of Exchange to get it to look to the public (external) FQDN not the internal FQDN by running the following commands in the Exchange Management Shell:

Set-AutodiscoverVirtualDirectory -Identity * -internalurl “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-ClientAccessServer -Identity * -AutodiscoverServiceInternalUri “https://mail.domain.com/autodiscover/autodiscover.xml”
Set-webservicesvirtualdirectory -Identity * -internalurl “https://mail.domain.com/EWS/Exchange.asmx”
Set-oabvirtualdirectory -Identity * -internalurl “https://mail.domain.com/oab”
Set-owavirtualdirectory -Identity * -internalurl “https://mail.domain.com/owa”
Set-ecpvirtualdirectory -Identity * -internalurl “https://mail.domain.com/ecp”
Set-ActiveSyncVirtualDirectory -Identity * -InternalUrl "https://mail.domain.com/Microsoft-Server-ActiveSync"

Just change mail.domain.com to an FQDN included in your SSL certificate.

Alan
0
 
regsampAuthor Commented:
"What you are seeing in the CSR request is encrypted.  Click next and it will show you the names included in old CSR."   When I do this it does not show the names included in the CSR.
0
 
becraigCommented:
Again let me reiterate, creating a NEW CSR has ABSOLUTELY NO IMPACT on anything.

You can get the current urls from the actual certificate itself by looking at the subject / Subject alternative names and simply follow the go-daddy instructions.
Or you can alternatively use the commands I gave you above to get the external url values to be included in the new CSR.
0
 
regsampAuthor Commented:
"You can get the current urls from the actual certificate itself by looking at the subject / Subject alternative names and simply follow the go-daddy instructions."  But where is this?  I am also using the commands to try and see.
0
 
regsampAuthor Commented:
I got them but I still don't know how to tell which services are running in connection and if they are with which URL. For example POP/IMAP, UMS, Hub Transport, Legacy, ect.
0
 
Alan HardistyCo-OwnerCommented:
On the screen after the CSR encrypted info you should see the Subject Alternative Names.

Those are the names included in the existing CSR.
0
 
regsampAuthor Commented:
And if we want to keep them can't we just leave them there as we want to use the same?  GoDaddy is also saying we cannot use the previous CSR even though they have that option
0
 
Alan HardistyCo-OwnerCommented:
If the previous CSR contains .local names then you can use the CSR and then remove the .local names.

I regularly buy certs from GoDaddy for customers and have regularly re-used previous CSR's without a problem.
0
 
regsampAuthor Commented:
But the new CSR can have the previous .local names because they are all the same. We can use the same CSR and we won't have to change the key or anything when we get our Cert?
0
 
becraigCommented:
You will not be able to get a new cert with the .local names, as Alan indicated above if you want to re-use the csr continue the wizard and change the *.local names to match the other external url... e.g. mail.xxx.com


Once you have the new certificate, all you will have to do it runn a certutil -repairstor <serialnumber>
0
 
Alan HardistyCo-OwnerCommented:
You should be able to get a 1 year cert with .local names included, but any cert that expires after the 1st Nov 2015 won't be issued with .local names in it.

Alan
0
 
regsampAuthor Commented:
I am confused by what is the .local names. All I have listed under the CSR is Subject Alt Names - 0 of 5 domains remaining. I am not seeing anything local and we are not changing any names at all.
0
 
Alan HardistyCo-OwnerCommented:
0 of 5 remaining says you have 5 names included in the certificate.

It should show you the Subject Alternate Names - make sure you explore the whole page in your browser or use a different browser as you may see something that's missing in a different one.

I use Chrome and they show up happily in there.
0
 
becraigCommented:
If you have no *.local names then you can simply proceed to re-use your CSR and then do the certutil repairstore once you have the new certificate.
0
 
Alan HardistyCo-OwnerCommented:
The .local names are usually servername.internaldomain.local (assuming your internal domain name ends with a .local suffix).
0
 
regsampAuthor Commented:
There are no .local names and the 5 names being used are the exact ones we want as they are the same from last time. What is this? "certutil repairstore once you have the new certificate.

And are you sure we can just check the use previous csr and then just change the key as I have talked to GoDaddy on the phone and they are insisting you cannot do this with Exchange 2010?
0
 
regsampAuthor Commented:
We don't have anything with a .local suffix
0
 
Simon Butler (Sembee)ConsultantCommented:
To get a certificate request completed you are going to need a pending request.
If you don't have a pending request then you cannot complete the certificate when it arrives from the vendor.

If you already have a certificate with the relevant settings, just right click on it and choose Renew Certificate. That will generate a new Pending Request and CSR, with all of the same settings as the original certificate.

Although I do think you are making this more difficult than it needs to be. So you need a CSR? There is a wizard to step through, which you can ignore most of the steps to get to the point where you enter the URLs. Enter what you need (mail.example.com, Autodiscover.example.com), click next, enter the company information, job done.

Simon.
0
 
regsampAuthor Commented:
I just need a CSR and I am just trying to keep the ending certificate result as close to what we have now. I am getting conflicting news that we have to create a new CSR request from GoDaddy and others saying I can just use the previous CSR, change the key and we should be good to go. I am probably making this more difficult then it is. We have not done it for three years so it is something you just forget.
0
 
becraigCommented:
Ok so before you get confused any further, here are good instructions to create a renewal.

Just upload the CSR that you generate to Go-Daddy and complete:
https://www.digicert.com/ssl-certificate-renewal-exchange-2010.htm
0
 
regsampAuthor Commented:
Okay, thank you. Let me take a look at this.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 14
  • 7
  • 7
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now