Solved

certificate for exchange 2010

Posted on 2014-10-16
5
155 Views
Last Modified: 2014-10-20
Hi,

we have created a certificate request for exchange 2010 server and I have started certificate issuing procedure on Godaddy.
The server is authoritative for 5 different domains and for all 5 domains there is an autodiscover SAN record.
At verification they have noticed, that one of the domains currently is not registered anymore, so it cannot be listed on the certificate. I wanted to recreate the request on the exchange server without autodiscover record for that domain and start the procedure again. But at Godaddy they insured me, that it is enough if I simply remove SAN name from the request at their console (What I also did).
Will I have problems to complete pending certificate request at Exchange server with so modified certificate?
Is it possible to import and use certificate on exchange server without creating the request first? (Let say in case a customer already has a wildcard certificate).

Thank you very much!
0
Comment
Question by:davorin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 27

Expert Comment

by:☠MAS☠
ID: 40384932
You can import certificate which has SANs which is not owned by you.

If you want to recreate the certificate please use this to generate CSR easily
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40385506
Removing a name from the certificate shouldn't cause a problem.
If it does, then just create a new CSR using the wizard in Exchange 2010, then do a rekey in the GoDaddy SSL control panel. They do not charge for that and the old certificate will work for 24 hours after the rekey to give you time to change them over.

If the domain is no longer registered then I would remove it from the list of domains in Exchange.

Simon.
0
 
LVL 27

Author Comment

by:davorin
ID: 40386247
New certificate was accepted by Exchange server with no problem and I have assigned to it IMAP, POP, IIS and SMTP services.

I have removed old expired certificate, but there are listed another three self signed certificates:
- (no name) assigned to IMAP, POP, SMTP
- Microsoft Exchange assigned to SMTP
- SCVMM_CERTIFICATE_KEY_CONTAINERserver.domain.local not assigned to any service ????? (Outlook installed on Exchange server is crying that this cert. is not trusted)

Can all these self signed certificates be safely removed?

What is doing system center virtual machine manager cert on exchange server?

It is first time I see this server. It looks that on this server is installed hyper-v with two vitrual machines and for sure this server needs a little cleanup. I will remove the domain, if they don't intend to register it again.

If I understand correctly, with rekeying you can also change SAN entries?
Is it possible to import and use certificate on exchange server without creating the request first? (Let say in case a customer already has a wildcard certificate).

Sorry for bothering you with additional questions.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 40386309
If there is already a certificate in existence, then as long as you export it with the private key then you can import it on to any other machine. Remember to check if the certificate also needs intermediate or root certificates installed on the server as well.

As for the self signed certificates, leave the one for Microsoft Exchange assigned to SMTP.
As you can no longer get internal name certificates from trusted providers, you need that one for Exchange to operate correctly.
When (or if it already has) expired, then just run new-exchangecertificate, with no switches on the server and Exchange will generate a new one. You will prompted to replace the default SMTP certificate. Say yes to that. You can then remove the old one.

Outlook shouldn't be installed on the Exchange server, so I would remove it. I cannot answer any questions about the SCVMM certificates - you may have to ask that question in the appropriate zone.

Simon.
0
 
LVL 27

Author Closing Comment

by:davorin
ID: 40392557
Thank you very much, Simon.
As always, your answers are very helpful.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As cyber crime continues to grow in both numbers and sophistication, a troubling trend of optimization has emerged over the last year.
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
This video discusses moving either the default database or any database to a new volume.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses
Course of the Month9 days, 13 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question