certificate for exchange 2010

Hi,

we have created a certificate request for exchange 2010 server and I have started certificate issuing procedure on Godaddy.
The server is authoritative for 5 different domains and for all 5 domains there is an autodiscover SAN record.
At verification they have noticed, that one of the domains currently is not registered anymore, so it cannot be listed on the certificate. I wanted to recreate the request on the exchange server without autodiscover record for that domain and start the procedure again. But at Godaddy they insured me, that it is enough if I simply remove SAN name from the request at their console (What I also did).
Will I have problems to complete pending certificate request at Exchange server with so modified certificate?
Is it possible to import and use certificate on exchange server without creating the request first? (Let say in case a customer already has a wildcard certificate).

Thank you very much!
LVL 27
davorinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
You can import certificate which has SANs which is not owned by you.

If you want to recreate the certificate please use this to generate CSR easily
http://gallery.technet.microsoft.com/Exchange-20072010-and-2013-17a0b52f
0
Simon Butler (Sembee)ConsultantCommented:
Removing a name from the certificate shouldn't cause a problem.
If it does, then just create a new CSR using the wizard in Exchange 2010, then do a rekey in the GoDaddy SSL control panel. They do not charge for that and the old certificate will work for 24 hours after the rekey to give you time to change them over.

If the domain is no longer registered then I would remove it from the list of domains in Exchange.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davorinAuthor Commented:
New certificate was accepted by Exchange server with no problem and I have assigned to it IMAP, POP, IIS and SMTP services.

I have removed old expired certificate, but there are listed another three self signed certificates:
- (no name) assigned to IMAP, POP, SMTP
- Microsoft Exchange assigned to SMTP
- SCVMM_CERTIFICATE_KEY_CONTAINERserver.domain.local not assigned to any service ????? (Outlook installed on Exchange server is crying that this cert. is not trusted)

Can all these self signed certificates be safely removed?

What is doing system center virtual machine manager cert on exchange server?

It is first time I see this server. It looks that on this server is installed hyper-v with two vitrual machines and for sure this server needs a little cleanup. I will remove the domain, if they don't intend to register it again.

If I understand correctly, with rekeying you can also change SAN entries?
Is it possible to import and use certificate on exchange server without creating the request first? (Let say in case a customer already has a wildcard certificate).

Sorry for bothering you with additional questions.
0
Simon Butler (Sembee)ConsultantCommented:
If there is already a certificate in existence, then as long as you export it with the private key then you can import it on to any other machine. Remember to check if the certificate also needs intermediate or root certificates installed on the server as well.

As for the self signed certificates, leave the one for Microsoft Exchange assigned to SMTP.
As you can no longer get internal name certificates from trusted providers, you need that one for Exchange to operate correctly.
When (or if it already has) expired, then just run new-exchangecertificate, with no switches on the server and Exchange will generate a new one. You will prompted to replace the default SMTP certificate. Say yes to that. You can then remove the old one.

Outlook shouldn't be installed on the Exchange server, so I would remove it. I cannot answer any questions about the SCVMM certificates - you may have to ask that question in the appropriate zone.

Simon.
0
davorinAuthor Commented:
Thank you very much, Simon.
As always, your answers are very helpful.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.