Solved

how to change FQDN or other options to fix SSL certificate

Posted on 2016-09-23
8
55 Views
Last Modified: 2016-09-28
I've been notified by Godaddy that I need to change our SSL certificate from a common name to a FQDN before Sep 28.  Right now my SSL is for uxxxxx.net and my FQDN is uxxxxx.int.  

My functional level for the domain is 2008 R2.  I'm not the best with this kind of change and am uncertain what to do.  Do I have any options other than renaming my FQDN?  If not, how do I rename it?  What else needs to be done?  Will that change automatically filter to all the other servers?    I had been told by a vendor previously that this is a difficult change to make so I'm basing my hesitation on that conversation.  If it has to be done, I want to make sure I cover all my bases before doing it.
0
Comment
Question by:cindyfiller
  • 3
  • 3
  • 2
8 Comments
 
LVL 14

Accepted Solution

by:
Todd Nelson earned 250 total points
ID: 41812423
0
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 250 total points
ID: 41812467
You do not need to change your internal FQDN domain name. But you need to remove from the digital certificate any name that corresponds to a domain that is not valid externally and registered for your company. For example, if your certificate includes a name ending with .local, .int, even if it is as a secondary name, then you will need to renew your certificate without using that name.

The point is that this process will involve as well an analysis of the applications where you are using the digital certificate, because if they have any function working with the internal name you will need to figure out a solution to avoid using the internal name and associate it to the certificate. Some solutions in this scenario could be:
- Create an split DNS configuration, and you will point your internal application using the external name and in this way it will work with the new certificate.
- Divide the certificates used by your application. The external functions are going to be handled by the new certificate that does not include internal names, and the internal functions that require the internal name you can configure then with an internal digital certificate in your network.

However, these solutions involve more environmental configuration and a clear knowledge of how your applications are using the certificate and what kind of clients are consuming it.
0
 

Author Comment

by:cindyfiller
ID: 41812500
This sounds more complicated than I can handle, based on your comments...  I'm not sure if I need a certificate internally for anything...  and the only thing I use the external SSL for is our webmail.  I don't suppose it is as easy as dropping the .net off the certificate?  I'm leaning more towards hiring someone to do this but want to do a bit more research first.
0
 
LVL 14

Expert Comment

by:Todd Nelson
ID: 41812523
You can certainly create a new cert request and not include the internal FQDN names (i.e. .local, .int, .ad, etc.)

However, if the Exchange internal URLs are set with .int (or any other non-routable FQDN) you will need to update those URLs to something that is in your certificate.
0
Swamped with email signature updates?

Have you been given a load of changes to make to your users’ email signatures? Having to manually implement multiple signatures for every department? Let Exclaimer save you from being swamped with email signature updates!

 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41812541
If you are using the digital certificate for Exchange it makes it more clear. And in that case the solution is to follow the path specified by Todd.
0
 

Author Comment

by:cindyfiller
ID: 41816562
Someone else at Godaddy sent me instructions they have for accomplishing what I need to do.  It seems like it is much less severe than what I originally thought.  Can you look at this article and see if it straight forward or do I need to additional steps as outline above?  The vendor I wanted to contract with still hasn't replied to me so it is looking more like I may have to do this.  

https://www.godaddy.com/help/reconfiguring-microsoft-exchange-server-to-use-a-fully-qualified-domain-name-6281?v=1
0
 
LVL 14

Expert Comment

by:Todd Nelson
ID: 41816609
What GoDaddy provided you is more or less what is documented in the links I provided.  It's not difficult.

Digicert has a tool to do it--and reverse the settings if needed ... https://www.digicert.com/internal-domain-name-tool.htm
0
 

Assisted Solution

by:cindyfiller
cindyfiller earned 0 total points
ID: 41820766
It turns out my issue was much easier than I thought.  The problem was that I had some alternate names on the SSL that weren't allowed.  My certificate was ready to expire, so once it was rekeyed, everything was fine.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now