• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 42
  • Last Modified:

New certificate instead of renewing - Exchange 2010 multiple domains

Hi
My exchange 2010 certificate is expiring today, and since the previous (self-signed) certificates were a complete mess, i decided to buy a new ssl certificate from an official source.
Since there are a few domains on that exchange server, i went for the comodo ucc san ssl certificate which covers 4 domains.

My questions are as follow:
1) Can i delete all existing certificates on the server, and install the new official one? How is it done, keeping in mind the server has domain1.com (mail.domain1.com ), domain2.com (mail.domain2.com), and myserver.mydomain.local for the local machine.

2) Do the clients currently connected to that server need to do anything to update the certificate?

Many thanks
Jaime
0
GreatSolutions
Asked:
GreatSolutions
  • 3
  • 2
3 Solutions
 
Jose [MCSE] Ortega CCEO J0rt3g4 Consulting ServicesCommented:
1. Nope just remove those that have been replaced (or are expired), there's one special that shouldn't be touch, you can remove all the public ones.
2. I'd say no, but they should just close and reopen outlook if required.

Well, The names in the SSL are just 2 by domain:
Mail.domain1.com
autodiscover.domain1.com

So the whole list of Entries for the SSL would be:
Mail.domain1.com
autodiscover.domain1.com
Mail.domain2.com
autodiscover.domain2.com

Never ever you are going to be able to use anything with .local and it's a bad practice, either way, you are unable to validate a domain with .local.

So I'd recommend you to set all the url's as the public URL (internally and externally, using the mail.domain1.com or mail.domain2.com).

Here's a script for it
https://gallery.technet.microsoft.com/office/Script-to-configure-the-5a58558b
Use the option -set -urlpath "https://www.mail.domain1.com"
0
 
GreatSolutionsC.I.OAuthor Commented:
Thank you for your fast answer. What did you mean by " there's one special that shouldn't be touch, you can remove all " 
I currently have two certificates that expired today, another one with no name (valid from today to today - i think this one exchange auto-generated it) and another one (the only self-signed one) named Microsoft Exchange and status "invalid for exchange server usage" (this one has only the local machine name i think it's a default or something)
0
 
MASTechnical Department HeadCommented:
Run "new-exchangecertificate" and delete all other self signed certificate.
Then use this to get command to generate command to get CSR. Upload the CSR to the 3rd party CA portal.
https://www.experts-exchange.com/articles/29657/Exchange-2010-Fix-for-an-Invalid-certificate-and-related-issues.html
Once you downloaded the certificate complete the pending request.
https://www.digicert.com/ssl-certificate-installation-microsoft-exchange-2010.htm.
Check this to configure certificate and A records in a muti domain Exchange2010.
https://www.experts-exchange.com/articles/29657/Exchange-2010-Fix-for-an-Invalid-certificate-and-related-issues.html
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
GreatSolutionsC.I.OAuthor Commented:
Ok, generated the certificate, bought a multi-domain SAN certificate from Comodo. I saw that digicert link (to complete the pending request), but no one specifies which certificate to install - i received the following certificates:
•      Root CA Certificate - AddTrustExternalCARoot.crt
•      Intermediate CA Certificate - COMODORSAAddTrustCA.crt
•      Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
•      Your PositiveSSL Multi-Domain Certificate - 109553040.crt
so i used the "PositiveSSL Multi-domain" to complete the pending request, which went on succesfully. I assigned to it POP, IMAP, SMTP and IIS. I didnt' delete the old certificates, should i delete everything there besides the newly created one?

Now from the outside - webmail - it gives me "access denied" in some browsers, or "no certificates found" in others...
0
 
MASTechnical Department HeadCommented:
Hi GreatSolutions,
Please install the certificate and enable IIS and SMTP (POP,IMAP if required) using the step4 in this article
Generate a new self signed Exchange certificate using command
New-Exchangecertificate

Open in new window

If OWA doesnt work please try to reset the OWA virtual directories.
https://technet.microsoft.com/en-us/library/ff629372(v=exchg.141).aspx

Thanks
MAS
0
 
GreatSolutionsC.I.OAuthor Commented:
Thank you, problem solved with MAS help
0

Join & Write a Comment

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now