Avatar of leegclystvale
leegclystvale
Flag for United Kingdom of Great Britain and Northern Ireland asked on

UC SSL cert renewal on EXchange 2007

Hello,

Exchange UC SSL cert is up for renewal soon and I could do with some help please! I'm a tad thick!

A while ago, I changed our primary email domain to mail.newdomain.org and accept emails for all mailboxes on both old and new email domains; secondary email domain is mail.old-domain.org.  The local domain name is unchanged

There is a (sembee article) redirect on requests to https://mail.old-domain.org and https://mail.NewDomain.org that adds the /OWA to the URL and sends usres to the https://mail.old-domain.org/owa website to enter their credentials after using localdomainname\username in basic Auth.   Local email users use Windows Auth

Current UC SSL cert looks like this:

mail.old-domain.org
autodiscover.old-domain.org
localdomain.local
exchange7
exchange7.localdomain.local

Obviously, users have been getting certificate errors when using the URL https://mail.newdomain.org which isnt ideal hence the need for this change.

After reading (Sembee article) it appears I no longer need some names specified in the certificate, the server internal FQDN (exchange7.localdomain.local) and the local server name (exchange7). I also want people to just connect using mail.newdomain.org so no longer require the mail.old-domain.org. My new cert would look like this:

mail.NewDomain.org
autodiscover.NewDomain.org
localdomain.local

Sorry for the long-winded drivel, but hoped to include as much as possible for your consideration!

so my questions are:

1) Do i need to renew or create a new godaddy cert? (starfield)

2) What is the best way to accomplish the above?

3) Any improvements you could suggest to make the user email experience better? :)

I'd appreciate any help, and as mentioned, i'm a tad thick so would appreciate simple answers :)

all the best
ExchangeWindows Server 2008SSL / HTTPS

Avatar of undefined
Last Comment
leegclystvale

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Simon Butler (Sembee)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
leegclystvale

ASKER
Thanks Simon.  A few more questions:

According to godaddy, i can change the common name on a standard SSL prior to first renewal.

1) So can I change the Common Name on the existing godaddy Certificate from mail.old-domain.org to  mail.NewDomain.org ....and just keep the old CN as a Subject Alternative Name?

2)  Can i drop the autodiscover.old-domain.org as not everyone uses full outlook on the domain? and iphone users can populate settings manually for the time being being until renewal

By amending the existing cert, it would enable me to:
a) include the new domain name and also keep all the settings as they are until renewal (4th March 2015)
b) Give me some time to plan the downtime for split DNS and new names.

So amended UCC would be:

CN= mail.newdomain.org
SANs
autodiscover.newdomain.org
localdomain.local
exchange7
exchange7.localdomain.local

3) I assume dropping SAN name would mean i would have to complete a CSR and go through the validation again and then re-install the amended certificate?  

4) Would i do the same upon renewal in March dropping the local names on the UCC?

I could do with breaking exchange and playing with it but reluctant to do it on the production server :)
Apologies for the questions but I am struggling to get to grips with all the documentation and the differences in the certs!
SOLUTION
Simon Butler (Sembee)

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
leegclystvale

ASKER
cheers Simon.

"If you have any users with the domain as their primary domain, then you need to have something for Autodiscover. "  - We don't, but your point makes sense just in case!

from godaddy site "For Exchange or IIS servers, you must generate a new CSR, and then use it to re-key your UCC certificate (more info). Finally, install the certificate as if it were new."

Amending my certificate CN and SANs will mean i have to regenerate a CSR and then install the amended Cert as i would a new certificate from from the above.
 
I assume that as i am not changing anything other than the CN and SANs, the existing cert won't need revoking and it's just a case of following a new cert installation?

Any help appreciated and thanks for your help so far
Simon Butler (Sembee)

If you do a rekey, then the old certificate is revoked after 24 or maybe 48 hours (cannot remember exactly which). As long as you have the names correct though, the clients shouldn't be affected.

Simon.
Your help has saved me hundreds of hours of internet surfing.
fblack61
leegclystvale

ASKER
Excellent, many thanks Simon. Great articles on website btw