Solved

UC SSL cert renewal on EXchange 2007

Posted on 2014-11-24
6
175 Views
Last Modified: 2014-11-25
Hello,

Exchange UC SSL cert is up for renewal soon and I could do with some help please! I'm a tad thick!

A while ago, I changed our primary email domain to mail.newdomain.org and accept emails for all mailboxes on both old and new email domains; secondary email domain is mail.old-domain.org.  The local domain name is unchanged

There is a (sembee article) redirect on requests to https://mail.old-domain.org and https://mail.NewDomain.org that adds the /OWA to the URL and sends usres to the https://mail.old-domain.org/owa website to enter their credentials after using localdomainname\username in basic Auth.   Local email users use Windows Auth

Current UC SSL cert looks like this:

mail.old-domain.org
autodiscover.old-domain.org
localdomain.local
exchange7
exchange7.localdomain.local

Obviously, users have been getting certificate errors when using the URL https://mail.newdomain.org which isnt ideal hence the need for this change.

After reading (Sembee article) it appears I no longer need some names specified in the certificate, the server internal FQDN (exchange7.localdomain.local) and the local server name (exchange7). I also want people to just connect using mail.newdomain.org so no longer require the mail.old-domain.org. My new cert would look like this:

mail.NewDomain.org
autodiscover.NewDomain.org
localdomain.local

Sorry for the long-winded drivel, but hoped to include as much as possible for your consideration!

so my questions are:

1) Do i need to renew or create a new godaddy cert? (starfield)

2) What is the best way to accomplish the above?

3) Any improvements you could suggest to make the user email experience better? :)

I'd appreciate any help, and as mentioned, i'm a tad thick so would appreciate simple answers :)

all the best
0
Comment
Question by:leegclystvale
  • 3
  • 3
6 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40463275
You will be unable to include "localdomain.local" in the certificate.
All certificates that expire after November 2015 cannot include internal only host names. Therefore you are looking at using external host names only.
That also means configuring Exchange with the external host names, and a split DNS. See another of my articles here:
http://semb.ee/hostnames2007

As you have an established former name, then I would include that in the SSL certificate as one of the additional names. That will ensure that anyone with the old name can get access.

Simon.
0
 
LVL 13

Author Comment

by:leegclystvale
ID: 40464359
Thanks Simon.  A few more questions:

According to godaddy, i can change the common name on a standard SSL prior to first renewal.

1) So can I change the Common Name on the existing godaddy Certificate from mail.old-domain.org to  mail.NewDomain.org ....and just keep the old CN as a Subject Alternative Name?

2)  Can i drop the autodiscover.old-domain.org as not everyone uses full outlook on the domain? and iphone users can populate settings manually for the time being being until renewal

By amending the existing cert, it would enable me to:
a) include the new domain name and also keep all the settings as they are until renewal (4th March 2015)
b) Give me some time to plan the downtime for split DNS and new names.

So amended UCC would be:

CN= mail.newdomain.org
SANs
autodiscover.newdomain.org
localdomain.local
exchange7
exchange7.localdomain.local

3) I assume dropping SAN name would mean i would have to complete a CSR and go through the validation again and then re-install the amended certificate?  

4) Would i do the same upon renewal in March dropping the local names on the UCC?

I could do with breaking exchange and playing with it but reluctant to do it on the production server :)
Apologies for the questions but I am struggling to get to grips with all the documentation and the differences in the certs!
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 40464395
"Can i drop the autodiscover.old-domain.org as not everyone uses full outlook on the domain? and iphone users can populate settings manually for the time being until renewal"

If you have any users with the domain as their primary domain, then you need to have something for Autodiscover.
Personally I would drop the internal names from the certificate now. Make the move to the external names only. That would allow you to have both variants of names in the certificate for maximum protection. If you make the changes to Exchange first, wait a while for Autodiscover to update the clients, then change the certificate you should have no disruption to the end users.
It would also make the renewal much easier as you would be renewing the same thing.

Simon.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 13

Author Comment

by:leegclystvale
ID: 40464909
cheers Simon.

"If you have any users with the domain as their primary domain, then you need to have something for Autodiscover. "  - We don't, but your point makes sense just in case!

from godaddy site "For Exchange or IIS servers, you must generate a new CSR, and then use it to re-key your UCC certificate (more info). Finally, install the certificate as if it were new."

Amending my certificate CN and SANs will mean i have to regenerate a CSR and then install the amended Cert as i would a new certificate from from the above.
 
I assume that as i am not changing anything other than the CN and SANs, the existing cert won't need revoking and it's just a case of following a new cert installation?

Any help appreciated and thanks for your help so far
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40465611
If you do a rekey, then the old certificate is revoked after 24 or maybe 48 hours (cannot remember exactly which). As long as you have the names correct though, the clients shouldn't be affected.

Simon.
0
 
LVL 13

Author Closing Comment

by:leegclystvale
ID: 40465622
Excellent, many thanks Simon. Great articles on website btw
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now