New certificate instead of renewing - Exchange 2010 multiple domains

Hi
My exchange 2010 certificate is expiring today, and since the previous (self-signed) certificates were a complete mess, i decided to buy a new ssl certificate from an official source.
Since there are a few domains on that exchange server, i went for the comodo ucc san ssl certificate which covers 4 domains.

My questions are as follow:
1) Can i delete all existing certificates on the server, and install the new official one? How is it done, keeping in mind the server has domain1.com (mail.domain1.com ), domain2.com (mail.domain2.com), and myserver.mydomain.local for the local machine.

2) Do the clients currently connected to that server need to do anything to update the certificate?

Many thanks
Jaime
LVL 2
GreatSolutionsC.I.OAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
1. Nope just remove those that have been replaced (or are expired), there's one special that shouldn't be touch, you can remove all the public ones.
2. I'd say no, but they should just close and reopen outlook if required.

Well, The names in the SSL are just 2 by domain:
Mail.domain1.com
autodiscover.domain1.com

So the whole list of Entries for the SSL would be:
Mail.domain1.com
autodiscover.domain1.com
Mail.domain2.com
autodiscover.domain2.com

Never ever you are going to be able to use anything with .local and it's a bad practice, either way, you are unable to validate a domain with .local.

So I'd recommend you to set all the url's as the public URL (internally and externally, using the mail.domain1.com or mail.domain2.com).

Here's a script for it
https://gallery.technet.microsoft.com/office/Script-to-configure-the-5a58558b
Use the option -set -urlpath "https://www.mail.domain1.com"
0
GreatSolutionsC.I.OAuthor Commented:
Thank you for your fast answer. What did you mean by " there's one special that shouldn't be touch, you can remove all " 
I currently have two certificates that expired today, another one with no name (valid from today to today - i think this one exchange auto-generated it) and another one (the only self-signed one) named Microsoft Exchange and status "invalid for exchange server usage" (this one has only the local machine name i think it's a default or something)
0
MAS (MVE)EE Solution GuideCommented:
Run "new-exchangecertificate" and delete all other self signed certificate.
Then use this to get command to generate command to get CSR. Upload the CSR to the 3rd party CA portal.
https://www.experts-exchange.com/articles/29657/Exchange-2010-Fix-for-an-Invalid-certificate-and-related-issues.html
Once you downloaded the certificate complete the pending request.
https://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm.
Check this to configure certificate and A records in a muti domain Exchange2010.
https://www.experts-exchange.com/articles/29657/Exchange-2010-Fix-for-an-Invalid-certificate-and-related-issues.html
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

GreatSolutionsC.I.OAuthor Commented:
Ok, generated the certificate, bought a multi-domain SAN certificate from Comodo. I saw that digicert link (to complete the pending request), but no one specifies which certificate to install - i received the following certificates:
•      Root CA Certificate - AddTrustExternalCARoot.crt
•      Intermediate CA Certificate - COMODORSAAddTrustCA.crt
•      Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
•      Your PositiveSSL Multi-Domain Certificate - 109553040.crt
so i used the "PositiveSSL Multi-domain" to complete the pending request, which went on succesfully. I assigned to it POP, IMAP, SMTP and IIS. I didnt' delete the old certificates, should i delete everything there besides the newly created one?

Now from the outside - webmail - it gives me "access denied" in some browsers, or "no certificates found" in others...
0
MAS (MVE)EE Solution GuideCommented:
Hi GreatSolutions,
Please install the certificate and enable IIS and SMTP (POP,IMAP if required) using the step4 in this article
Generate a new self signed Exchange certificate using command
New-Exchangecertificate

Open in new window

If OWA doesnt work please try to reset the OWA virtual directories.
https://technet.microsoft.com/en-us/library/ff629372(v=exchg.141).aspx

Thanks
MAS
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GreatSolutionsC.I.OAuthor Commented:
Thank you, problem solved with MAS help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.