Solved

UC SSL cert renewal on EXchange 2007

Posted on 2014-11-24
6
187 Views
Last Modified: 2014-11-25
Hello,

Exchange UC SSL cert is up for renewal soon and I could do with some help please! I'm a tad thick!

A while ago, I changed our primary email domain to mail.newdomain.org and accept emails for all mailboxes on both old and new email domains; secondary email domain is mail.old-domain.org.  The local domain name is unchanged

There is a (sembee article) redirect on requests to https://mail.old-domain.org and https://mail.NewDomain.org that adds the /OWA to the URL and sends usres to the https://mail.old-domain.org/owa website to enter their credentials after using localdomainname\username in basic Auth.   Local email users use Windows Auth

Current UC SSL cert looks like this:

mail.old-domain.org
autodiscover.old-domain.org
localdomain.local
exchange7
exchange7.localdomain.local

Obviously, users have been getting certificate errors when using the URL https://mail.newdomain.org which isnt ideal hence the need for this change.

After reading (Sembee article) it appears I no longer need some names specified in the certificate, the server internal FQDN (exchange7.localdomain.local) and the local server name (exchange7). I also want people to just connect using mail.newdomain.org so no longer require the mail.old-domain.org. My new cert would look like this:

mail.NewDomain.org
autodiscover.NewDomain.org
localdomain.local

Sorry for the long-winded drivel, but hoped to include as much as possible for your consideration!

so my questions are:

1) Do i need to renew or create a new godaddy cert? (starfield)

2) What is the best way to accomplish the above?

3) Any improvements you could suggest to make the user email experience better? :)

I'd appreciate any help, and as mentioned, i'm a tad thick so would appreciate simple answers :)

all the best
0
Comment
Question by:leegclystvale
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40463275
You will be unable to include "localdomain.local" in the certificate.
All certificates that expire after November 2015 cannot include internal only host names. Therefore you are looking at using external host names only.
That also means configuring Exchange with the external host names, and a split DNS. See another of my articles here:
http://semb.ee/hostnames2007

As you have an established former name, then I would include that in the SSL certificate as one of the additional names. That will ensure that anyone with the old name can get access.

Simon.
0
 
LVL 13

Author Comment

by:leegclystvale
ID: 40464359
Thanks Simon.  A few more questions:

According to godaddy, i can change the common name on a standard SSL prior to first renewal.

1) So can I change the Common Name on the existing godaddy Certificate from mail.old-domain.org to  mail.NewDomain.org ....and just keep the old CN as a Subject Alternative Name?

2)  Can i drop the autodiscover.old-domain.org as not everyone uses full outlook on the domain? and iphone users can populate settings manually for the time being being until renewal

By amending the existing cert, it would enable me to:
a) include the new domain name and also keep all the settings as they are until renewal (4th March 2015)
b) Give me some time to plan the downtime for split DNS and new names.

So amended UCC would be:

CN= mail.newdomain.org
SANs
autodiscover.newdomain.org
localdomain.local
exchange7
exchange7.localdomain.local

3) I assume dropping SAN name would mean i would have to complete a CSR and go through the validation again and then re-install the amended certificate?  

4) Would i do the same upon renewal in March dropping the local names on the UCC?

I could do with breaking exchange and playing with it but reluctant to do it on the production server :)
Apologies for the questions but I am struggling to get to grips with all the documentation and the differences in the certs!
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 40464395
"Can i drop the autodiscover.old-domain.org as not everyone uses full outlook on the domain? and iphone users can populate settings manually for the time being until renewal"

If you have any users with the domain as their primary domain, then you need to have something for Autodiscover.
Personally I would drop the internal names from the certificate now. Make the move to the external names only. That would allow you to have both variants of names in the certificate for maximum protection. If you make the changes to Exchange first, wait a while for Autodiscover to update the clients, then change the certificate you should have no disruption to the end users.
It would also make the renewal much easier as you would be renewing the same thing.

Simon.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 13

Author Comment

by:leegclystvale
ID: 40464909
cheers Simon.

"If you have any users with the domain as their primary domain, then you need to have something for Autodiscover. "  - We don't, but your point makes sense just in case!

from godaddy site "For Exchange or IIS servers, you must generate a new CSR, and then use it to re-key your UCC certificate (more info). Finally, install the certificate as if it were new."

Amending my certificate CN and SANs will mean i have to regenerate a CSR and then install the amended Cert as i would a new certificate from from the above.
 
I assume that as i am not changing anything other than the CN and SANs, the existing cert won't need revoking and it's just a case of following a new cert installation?

Any help appreciated and thanks for your help so far
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40465611
If you do a rekey, then the old certificate is revoked after 24 or maybe 48 hours (cannot remember exactly which). As long as you have the names correct though, the clients shouldn't be affected.

Simon.
0
 
LVL 13

Author Closing Comment

by:leegclystvale
ID: 40465622
Excellent, many thanks Simon. Great articles on website btw
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

626 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question