UC SSL cert renewal on EXchange 2007


Exchange UC SSL cert is up for renewal soon and I could do with some help please! I'm a tad thick!

A while ago, I changed our primary email domain to mail.newdomain.org and accept emails for all mailboxes on both old and new email domains; secondary email domain is mail.old-domain.org.  The local domain name is unchanged

There is a (sembee article) redirect on requests to https://mail.old-domain.org and https://mail.NewDomain.org that adds the /OWA to the URL and sends usres to the https://mail.old-domain.org/owa website to enter their credentials after using localdomainname\username in basic Auth.   Local email users use Windows Auth

Current UC SSL cert looks like this:


Obviously, users have been getting certificate errors when using the URL https://mail.newdomain.org which isnt ideal hence the need for this change.

After reading (Sembee article) it appears I no longer need some names specified in the certificate, the server internal FQDN (exchange7.localdomain.local) and the local server name (exchange7). I also want people to just connect using mail.newdomain.org so no longer require the mail.old-domain.org. My new cert would look like this:


Sorry for the long-winded drivel, but hoped to include as much as possible for your consideration!

so my questions are:

1) Do i need to renew or create a new godaddy cert? (starfield)

2) What is the best way to accomplish the above?

3) Any improvements you could suggest to make the user email experience better? :)

I'd appreciate any help, and as mentioned, i'm a tad thick so would appreciate simple answers :)

all the best
LVL 13
Who is Participating?
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
You will be unable to include "localdomain.local" in the certificate.
All certificates that expire after November 2015 cannot include internal only host names. Therefore you are looking at using external host names only.
That also means configuring Exchange with the external host names, and a split DNS. See another of my articles here:

As you have an established former name, then I would include that in the SSL certificate as one of the additional names. That will ensure that anyone with the old name can get access.

leegclystvaleAuthor Commented:
Thanks Simon.  A few more questions:

According to godaddy, i can change the common name on a standard SSL prior to first renewal.

1) So can I change the Common Name on the existing godaddy Certificate from mail.old-domain.org to  mail.NewDomain.org ....and just keep the old CN as a Subject Alternative Name?

2)  Can i drop the autodiscover.old-domain.org as not everyone uses full outlook on the domain? and iphone users can populate settings manually for the time being being until renewal

By amending the existing cert, it would enable me to:
a) include the new domain name and also keep all the settings as they are until renewal (4th March 2015)
b) Give me some time to plan the downtime for split DNS and new names.

So amended UCC would be:

CN= mail.newdomain.org

3) I assume dropping SAN name would mean i would have to complete a CSR and go through the validation again and then re-install the amended certificate?  

4) Would i do the same upon renewal in March dropping the local names on the UCC?

I could do with breaking exchange and playing with it but reluctant to do it on the production server :)
Apologies for the questions but I am struggling to get to grips with all the documentation and the differences in the certs!
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
"Can i drop the autodiscover.old-domain.org as not everyone uses full outlook on the domain? and iphone users can populate settings manually for the time being until renewal"

If you have any users with the domain as their primary domain, then you need to have something for Autodiscover.
Personally I would drop the internal names from the certificate now. Make the move to the external names only. That would allow you to have both variants of names in the certificate for maximum protection. If you make the changes to Exchange first, wait a while for Autodiscover to update the clients, then change the certificate you should have no disruption to the end users.
It would also make the renewal much easier as you would be renewing the same thing.

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

leegclystvaleAuthor Commented:
cheers Simon.

"If you have any users with the domain as their primary domain, then you need to have something for Autodiscover. "  - We don't, but your point makes sense just in case!

from godaddy site "For Exchange or IIS servers, you must generate a new CSR, and then use it to re-key your UCC certificate (more info). Finally, install the certificate as if it were new."

Amending my certificate CN and SANs will mean i have to regenerate a CSR and then install the amended Cert as i would a new certificate from from the above.
I assume that as i am not changing anything other than the CN and SANs, the existing cert won't need revoking and it's just a case of following a new cert installation?

Any help appreciated and thanks for your help so far
Simon Butler (Sembee)ConsultantCommented:
If you do a rekey, then the old certificate is revoked after 24 or maybe 48 hours (cannot remember exactly which). As long as you have the names correct though, the clients shouldn't be affected.

leegclystvaleAuthor Commented:
Excellent, many thanks Simon. Great articles on website btw
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.