Exchange 2013 - Generate a new CSR and replace an existing operational SSL cert
Posted on 2014-12-18
Wanted to bounce this off someone else -
On a recent Exchange 2013 deployment project, I moved email off a web-hosting providers POP3 platform to an in-house Exchange 2013 server at my building. The web-hosting service no longer manages our email, but still manages the business website (ex; www.xyz.com). The MX records for mail.xyz.com which used to point to their location, now points to my building.
As I was in setup phase on the Exchange server, I chose a certificate "common name" of "xyz.com" as I was generating the CSR. This along with my autodiscover and owa SANs names. This has not proven to be a problem "so far" with OWA access nor the sending/receiving operations of Outlook, both internally and externally. Email is working without any issues in this regard.
What I am having a problem with is Android and iPhone EAS connection profile creation. When I create the EAS profile on my Android - and enter my email address of "firstname.lastname@example.org", I'm getting a security warning "the name of the site does not match the name on the certificate". When I view the error, the cert is showing as issued to the web hosting company's TLD "*.webhoster.com" common name.
I spoke with the SSL Issuers support - they believe the issue to be the common name I chose of "xyz.com" during cert creation. If I run a cert check on xyz.com, it does show the cert common name as - *.webhoster.com, which ties back to the Cert error I'm getting on the droid phones. When I run a cert check on "mail.xyz.com", the cert common name is listed as "xyz.com", which is what I used when the CSR was created. The SSL issuer advised to run another CSR process on server and re-key into their system to generate a new SSL cert. They also advised to make the common name on the new CSR process, "mail.xyz.com"
Does this sound plausible as to what the root problem is?
Is running another CSR the next course of action?
If another CSR is required, is there any deletion of the existing certs on Exchange required prior? Not sure what management of the existing cert infrastructure needs to be done before the import of the new certificate.
Many thanks on any assistance.