Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Exchange 2010 renew certificate 1

Status
Not open for further replies.
disturbedone

disturbedone

Vendor
Sep 28, 2006
781
AU
I have taken over an Exchange 2010 environment and the SSL certificate is due to expire shortly. I have a pretty good idea of the process but would like to clarify it with someone.

Firstly, some background. There are 2x CA/HT (CA1 and CA2) servers and 2x MBX (MX1 and MX2) servers.

This is what I think is the correct procedure:

1. On CA1 server go to IIS Manager/Security/Server Certificates. Currently I see the existing certificate that with name="exchange 2010", IssueTo='mail.domain.com" and IssuedBy="Thawte SSL CA".
2. Right-click and select 'Renew'. Options are to 'Renew an existing certificate', 'Create a renewal certificate request' and 'Complete certificate renewal request'. As the certificate comes from an external authority (Thawte) I would select the 'Create a renewal certificate request' - is that correct? It asks for where to store the output file - does this need to be request.csr or can it be request.txt (it seems to let me call it anything)
3. I assume the output file is a CSR (Certificate Signing Request) and viewing the text file would show something like this example.
4. I would then go to Thawte and request a renewal and past this CSR into the suitable field online.
5. Thawte would send me certificate
6. I would then go to CA1, right-click the certificate and select the 3rd option to 'Complete certificate renewal request' and upload the supplied file eg certificate.cer

Hopefully that is correct. If so, then the next step would be to get the renewed certificate onto CA2. I think all I'd need to do would be to 'Complete certificate renewal request' and upload the new *.cer file. I wouldn't think I'd need to create a CSR because I want the same certificate on both servers. Can someone confirm this is all I need to do to CA2?

Is there anything else that needs to be done to get the renewed certificate on? Is there anything inside Exchange EMC/CLI that needs to be done?

Thanks in advance.
 
Sort by date Sort by votes
This has got very confusing having looked in to it further. There appears to be options in EMC for 'Assign Services to Certificate' and 'Renew Exchange Certificate'. Should these be used instead of IIS???? Or in conjunction with???

It is also slightly complicated by the fact hat I want to remove 2x and add 1x SAN entries on the certificate. Because of that would it be best to import a new certificate instead of renewing the existing one??

1. Renew or New?
2. IIS or EMC?

At this point I'm thinking New instead of Renew because of the removal/addition of SAN entries. And I'm thinking using EMC instead of IIS (and assuming that the info in IIS is just taken from Exchange).

I'm also thinking of using EMC to generate a new CSR using the 'New Exchange Certificate' option. It allows me to specify which Exchange services it will be used for, which SANs to add, enter the CN etc details.

Advice?
 
Upvote 0 Downvote
I would renew and then rekey (adding additional SANs) before actually installing the cert. The EMC wizard helps you pick names, but otherwise it doesn't do much that the OS cert wizard doesn't.

Note that if you just renewed it without generating a new CSR, and you added the names to it, you could still bring it back down to your servers, and use the Digicert Certificate Utility to match the downloaded cert (which would lack a private key since you didn't generate a CSR) with your original private key.

Alternately, generating a whole new cert wouldn't really be that difficult either, and you could easily generate the CSR in the EMC tool.

Dave Shackelford
ThirdTier.net
TrainSignal.com
 
Upvote 0 Downvote
Just to close this post off here is what I did.....

1. Generated new CSR on CA2 specifying the 5 SANs required (current cert has 6, removed 2 current, added 1 new). This was done in the Exchamge EMC not IIS.
2. Sent CSR to Thawte and requested new certificate. The process required me telling them the SANs required too.
3. In Exchange EMC I completed the certificate request and selected the .cer supplied by Thawte.
4. Applied SMTP, POP, IMAP and IIS services to the new certificate. The only issue encounted was it asking if this was to apply to the root website. I found conflicting reports online about this, say said to click no but others said yes. I clicked yes and it worked.
5. Exported the new certificate to a .pfx file and copied to CA1
6. Imported the .pfx file on CA1 and assigned the same services.

All working ok after that. Thanks for the assistance.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

PatrickRoggers
  • Locked
  • Helpful tip
Safest Way to Import PST file into Exchange Online
Replies
0
Views
1K
PatrickRoggers
PatrickRoggers
T
  • Locked
  • Question
How to use third party mail security gateway to scan internal/inter-domain mails in Exchange On-Premise?
Replies
3
Views
1K
DrB0b
DrB0b
ComputersUnlimited
  • Locked
  • Question
Migrating to Exchange 2019
Replies
0
Views
1K
ComputersUnlimited
ComputersUnlimited
Brent Fletcher
  • Locked
  • Question
Exchange rule to remove "✉" icon when it appears in a subject title from a supplier
Replies
0
Views
1K
Brent Fletcher
Brent Fletcher
stanlyn
  • Locked
  • Question
How to do Certificates on MultiDomain Exchange with Least Cost
Replies
1
Views
1K
Wesaf
Wesaf

Part and Inventory Search

Sponsor

Back
Top