Solved

UC SSL cert renewal on EXchange 2007

Posted on 2014-11-24
6
173 Views
Last Modified: 2014-11-25
Hello,

Exchange UC SSL cert is up for renewal soon and I could do with some help please! I'm a tad thick!

A while ago, I changed our primary email domain to mail.newdomain.org and accept emails for all mailboxes on both old and new email domains; secondary email domain is mail.old-domain.org.  The local domain name is unchanged

There is a (sembee article) redirect on requests to https://mail.old-domain.org and https://mail.NewDomain.org that adds the /OWA to the URL and sends usres to the https://mail.old-domain.org/owa website to enter their credentials after using localdomainname\username in basic Auth.   Local email users use Windows Auth

Current UC SSL cert looks like this:

mail.old-domain.org
autodiscover.old-domain.org
localdomain.local
exchange7
exchange7.localdomain.local

Obviously, users have been getting certificate errors when using the URL https://mail.newdomain.org which isnt ideal hence the need for this change.

After reading (Sembee article) it appears I no longer need some names specified in the certificate, the server internal FQDN (exchange7.localdomain.local) and the local server name (exchange7). I also want people to just connect using mail.newdomain.org so no longer require the mail.old-domain.org. My new cert would look like this:

mail.NewDomain.org
autodiscover.NewDomain.org
localdomain.local

Sorry for the long-winded drivel, but hoped to include as much as possible for your consideration!

so my questions are:

1) Do i need to renew or create a new godaddy cert? (starfield)

2) What is the best way to accomplish the above?

3) Any improvements you could suggest to make the user email experience better? :)

I'd appreciate any help, and as mentioned, i'm a tad thick so would appreciate simple answers :)

all the best
0
Comment
Question by:leegclystvale
  • 3
  • 3
6 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40463275
You will be unable to include "localdomain.local" in the certificate.
All certificates that expire after November 2015 cannot include internal only host names. Therefore you are looking at using external host names only.
That also means configuring Exchange with the external host names, and a split DNS. See another of my articles here:
http://semb.ee/hostnames2007

As you have an established former name, then I would include that in the SSL certificate as one of the additional names. That will ensure that anyone with the old name can get access.

Simon.
0
 
LVL 13

Author Comment

by:leegclystvale
ID: 40464359
Thanks Simon.  A few more questions:

According to godaddy, i can change the common name on a standard SSL prior to first renewal.

1) So can I change the Common Name on the existing godaddy Certificate from mail.old-domain.org to  mail.NewDomain.org ....and just keep the old CN as a Subject Alternative Name?

2)  Can i drop the autodiscover.old-domain.org as not everyone uses full outlook on the domain? and iphone users can populate settings manually for the time being being until renewal

By amending the existing cert, it would enable me to:
a) include the new domain name and also keep all the settings as they are until renewal (4th March 2015)
b) Give me some time to plan the downtime for split DNS and new names.

So amended UCC would be:

CN= mail.newdomain.org
SANs
autodiscover.newdomain.org
localdomain.local
exchange7
exchange7.localdomain.local

3) I assume dropping SAN name would mean i would have to complete a CSR and go through the validation again and then re-install the amended certificate?  

4) Would i do the same upon renewal in March dropping the local names on the UCC?

I could do with breaking exchange and playing with it but reluctant to do it on the production server :)
Apologies for the questions but I am struggling to get to grips with all the documentation and the differences in the certs!
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 40464395
"Can i drop the autodiscover.old-domain.org as not everyone uses full outlook on the domain? and iphone users can populate settings manually for the time being until renewal"

If you have any users with the domain as their primary domain, then you need to have something for Autodiscover.
Personally I would drop the internal names from the certificate now. Make the move to the external names only. That would allow you to have both variants of names in the certificate for maximum protection. If you make the changes to Exchange first, wait a while for Autodiscover to update the clients, then change the certificate you should have no disruption to the end users.
It would also make the renewal much easier as you would be renewing the same thing.

Simon.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 13

Author Comment

by:leegclystvale
ID: 40464909
cheers Simon.

"If you have any users with the domain as their primary domain, then you need to have something for Autodiscover. "  - We don't, but your point makes sense just in case!

from godaddy site "For Exchange or IIS servers, you must generate a new CSR, and then use it to re-key your UCC certificate (more info). Finally, install the certificate as if it were new."

Amending my certificate CN and SANs will mean i have to regenerate a CSR and then install the amended Cert as i would a new certificate from from the above.
 
I assume that as i am not changing anything other than the CN and SANs, the existing cert won't need revoking and it's just a case of following a new cert installation?

Any help appreciated and thanks for your help so far
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40465611
If you do a rekey, then the old certificate is revoked after 24 or maybe 48 hours (cannot remember exactly which). As long as you have the names correct though, the clients shouldn't be affected.

Simon.
0
 
LVL 13

Author Closing Comment

by:leegclystvale
ID: 40465622
Excellent, many thanks Simon. Great articles on website btw
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now