Pkafkas
asked on
How to change Digital certificates for a Microsoft Excahnge 2010 Server
Hello:
I am interested in learning how to create a new C.S.R and Digital Certificate for our Exchange Server. Our current Exchange Digital Certificate will eventually expire. I found a couple of websites that explain many of the steps; but, I still have a few specific questions:
Basically the steps include:
A. Create a new Certificate Signing Request (CSR) from the Exchange 2010 Server.
B. Use a public certificate authority to create a Digital Certificate (ie GoDaddy).
C. Download the Digital cert from GoDaddy and install the .cer file on the Exchange 2010 Server whil using Exchange Management Console.
A few websites with some examples:
https://www.digicert.com/csr-creation-microsoft-exchange-2010.htm
https://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm
https://www.godaddy.com/help/exchange-server-2010-install-a-certificate-5863
The last time I tried this, I worked with a consultant that was supposed to know what he was doing; but, actually admitted to me that he never installed or configured a digital certificate before. He thought he would just google search it and figure it out on the fly. I ended up figuring it out myself with GoDaddy's help; but, it was a stressful night.
My specific questions are:
1. If my current Digital cert will not expire for a couple of months and I create a new C.S.R./Digital Cert (with GoDaddy), and install/configure the new cert on the Exchange Server 2010, will the original certificate automatically become disabled?
2. Can 2 digital certificates be active on the same Exchange Server?
a. Will I need to manually disable the older certificate on the Exchange Server.
3. Is there a way to see the settings for the currently used Certificate?
a. For example, in the New Exchange Certificate wizard what should I put down for:
Client Access Server (Outlook Web App) //mail.domain.com - Outlook web app functionality.
Client Access Server (Exchange ActiveSync) //activesync.domain.com - for mobile phones functionality correct?
Client Access Server (webservices, Outlook Anywhere, and Autodiscover) //mail.domain.com - autodiscover functionality
Client Access Server (POP/IMAP) for IMAP //mail.mogl.net - for IMAP functionality
Unified messaging server //.... I do not know
Hub Transport server //.... I do not know
Legacy Exchange Server //Only used for 2003 Server migrations.
4. At what point, if any, will the Exchange server stop working until I install/configure the correct certificate?
a. Assuming we are still using the same Exchange server and the original Certificate has not expired yet.
I am interested in learning how to create a new C.S.R and Digital Certificate for our Exchange Server. Our current Exchange Digital Certificate will eventually expire. I found a couple of websites that explain many of the steps; but, I still have a few specific questions:
Basically the steps include:
A. Create a new Certificate Signing Request (CSR) from the Exchange 2010 Server.
B. Use a public certificate authority to create a Digital Certificate (ie GoDaddy).
C. Download the Digital cert from GoDaddy and install the .cer file on the Exchange 2010 Server whil using Exchange Management Console.
A few websites with some examples:
https://www.digicert.com/csr-creation-microsoft-exchange-2010.htm
https://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm
https://www.godaddy.com/help/exchange-server-2010-install-a-certificate-5863
The last time I tried this, I worked with a consultant that was supposed to know what he was doing; but, actually admitted to me that he never installed or configured a digital certificate before. He thought he would just google search it and figure it out on the fly. I ended up figuring it out myself with GoDaddy's help; but, it was a stressful night.
My specific questions are:
1. If my current Digital cert will not expire for a couple of months and I create a new C.S.R./Digital Cert (with GoDaddy), and install/configure the new cert on the Exchange Server 2010, will the original certificate automatically become disabled?
2. Can 2 digital certificates be active on the same Exchange Server?
a. Will I need to manually disable the older certificate on the Exchange Server.
3. Is there a way to see the settings for the currently used Certificate?
a. For example, in the New Exchange Certificate wizard what should I put down for:
Client Access Server (Outlook Web App) //mail.domain.com - Outlook web app functionality.
Client Access Server (Exchange ActiveSync) //activesync.domain.com - for mobile phones functionality correct?
Client Access Server (webservices, Outlook Anywhere, and Autodiscover) //mail.domain.com - autodiscover functionality
Client Access Server (POP/IMAP) for IMAP //mail.mogl.net - for IMAP functionality
Unified messaging server //.... I do not know
Hub Transport server //.... I do not know
Legacy Exchange Server //Only used for 2003 Server migrations.
4. At what point, if any, will the Exchange server stop working until I install/configure the correct certificate?
a. Assuming we are still using the same Exchange server and the original Certificate has not expired yet.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your comments. It appears that "MAS" confirms the comments as well. very good!! To double-check that I understand your comments correctly:
Point1: The currently used Certificate Signing request (C.S.R.) and Digital certificate from GoDaddy will continue to work until the newly created C.S.R. actually has Services assigned to it.
Point2: The currently used certificate will be automatically disabled when services are assigned to the new Digital Certificate.
Point3 The best way to verify what information to use for the OWA and autodiscover and activesync options are to research how the current digital certificate is setup.
a. Look at the company public DNS records linked from the company's ISP.
b. Look at the configuration for the current digital certificate (security padlock from the https://.../owa
c. Look at the configuration from the certificates in the Exchange management console (server configuration - module).
d. use your common sense to draw conclusions and ask GoDaddy for any addition specific questions.
Does that sound to be correct? The last time I created a new certificate, was with that "Consultant' and I ended up creating a new C.S.R. 3-4 different times before we got it correct. So I believe I remember as soon as you assign services to a new digital certificate it will invalidate the previously used certificate. Hence, that is why I want to be careful this time.