• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 77
  • Last Modified:

New certificate instead of renewing - Exchange 2010 multiple domains

My exchange 2010 certificate is expiring today, and since the previous (self-signed) certificates were a complete mess, i decided to buy a new ssl certificate from an official source.
Since there are a few domains on that exchange server, i went for the comodo ucc san ssl certificate which covers 4 domains.

My questions are as follow:
1) Can i delete all existing certificates on the server, and install the new official one? How is it done, keeping in mind the server has domain1.com (mail.domain1.com ), domain2.com (mail.domain2.com), and myserver.mydomain.local for the local machine.

2) Do the clients currently connected to that server need to do anything to update the certificate?

Many thanks
  • 3
  • 2
3 Solutions
Jose Gabriel Ortega CCEO J0rt3g4 Consulting ServicesCommented:
1. Nope just remove those that have been replaced (or are expired), there's one special that shouldn't be touch, you can remove all the public ones.
2. I'd say no, but they should just close and reopen outlook if required.

Well, The names in the SSL are just 2 by domain:

So the whole list of Entries for the SSL would be:

Never ever you are going to be able to use anything with .local and it's a bad practice, either way, you are unable to validate a domain with .local.

So I'd recommend you to set all the url's as the public URL (internally and externally, using the mail.domain1.com or mail.domain2.com).

Here's a script for it
Use the option -set -urlpath "https://www.mail.domain1.com"
GreatSolutionsC.I.OAuthor Commented:
Thank you for your fast answer. What did you mean by " there's one special that shouldn't be touch, you can remove all " 
I currently have two certificates that expired today, another one with no name (valid from today to today - i think this one exchange auto-generated it) and another one (the only self-signed one) named Microsoft Exchange and status "invalid for exchange server usage" (this one has only the local machine name i think it's a default or something)
MAS (MVE)Technical Department HeadCommented:
Run "new-exchangecertificate" and delete all other self signed certificate.
Then use this to get command to generate command to get CSR. Upload the CSR to the 3rd party CA portal.
Once you downloaded the certificate complete the pending request.
Check this to configure certificate and A records in a muti domain Exchange2010.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

GreatSolutionsC.I.OAuthor Commented:
Ok, generated the certificate, bought a multi-domain SAN certificate from Comodo. I saw that digicert link (to complete the pending request), but no one specifies which certificate to install - i received the following certificates:
•      Root CA Certificate - AddTrustExternalCARoot.crt
•      Intermediate CA Certificate - COMODORSAAddTrustCA.crt
•      Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
•      Your PositiveSSL Multi-Domain Certificate - 109553040.crt
so i used the "PositiveSSL Multi-domain" to complete the pending request, which went on succesfully. I assigned to it POP, IMAP, SMTP and IIS. I didnt' delete the old certificates, should i delete everything there besides the newly created one?

Now from the outside - webmail - it gives me "access denied" in some browsers, or "no certificates found" in others...
MAS (MVE)Technical Department HeadCommented:
Hi GreatSolutions,
Please install the certificate and enable IIS and SMTP (POP,IMAP if required) using the step4 in this article
Generate a new self signed Exchange certificate using command

Open in new window

If OWA doesnt work please try to reset the OWA virtual directories.

GreatSolutionsC.I.OAuthor Commented:
Thank you, problem solved with MAS help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Train for your Pen Testing Engineer Certification

Enroll today in this bundle of courses to gain experience in the logistics of pen testing, Linux fundamentals, vulnerability assessments, detecting live systems, and more! This series, valued at $3,000, is free for Premium members, Team Accounts, and Qualified Experts.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now