[ExchangeList] sbs 2008 ssl cert replacement - how to do

  • From: "Harondel J. Sibble" <exchangelist@xxxxxxxxx>
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Thu, 11 Feb 2010 10:44:32 -0800

-------------------------------------------------------Okay, recently completed 
a migration from SBS 2003 to SBS 2008 including the 
existing SSL cert which is due to expire in about a week.

Knowing that generally one wants a UC SSL cert for Exchange 2007 and the old 
cert provider is not around anymore (registrfly) and the client being a non 
profit has arrangments with IPSCA for free certs, it's time to start from 

I want to have the least amount of disruption for the end users that are 
using Outlook/Mapi in the office, same over VPN and also using OWA.

Best I can tell, I'll need to remove the existing cert from IIS to generate 
the new CSR for IPSCA, that'll mean that OWA no longer works and same for 
RPC, but that mapi access should still work fine.

I see 2 ways around this

1) generate csr on a different unrelated machine, I have access to IIS6 on 
SBS 2003, install cert and export it in pfx format along with the private 
key, then import into SBS2k8/IIS7.

2) remove current cert breaking owa and rpc until new cert is provided, 
generate csr and install new cert once verification is completed by IPSCA

My concerns: cert install with IIS7/Ex2k7 as talking to other admins and 
doing a bit of reading, things are different in that environment where ssl 
certs are concerned. I've heard and read both that you have to install the 
new cert using IIS AND using the Exchange Console, other reading suggests 
only one or the other is necessary to accomplish this.

Given a recent situation where I provided a new cert using method1 above to a 
client's managed exchange provider and then had mail stop working for all the 
staff at 3 offices after they installed it, I am leery... Everyone uses RPC 
and any email sent/received that way stopped working, owa/webmail worked but 
at the same time one of the mail transports died so email wasn't going in or 
out. A bit of a nightmare.

I'm hoping for a smoother transition with this SBS2k8 machine.


Harondel J. Sibble 
Sibble Computer Consulting
Creating Solutions for the small and medium business computer user.
help@xxxxxxxxx (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice)

List Archives: http://www.freelists.org/archives/exchangelist/  
MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp 
MSExchange Articles and Tutorials: 
MSExchange Blogs: http://blogs.msexchange.org/ 
Visit TechGenix.com for more information about our other sites:
To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp
Report abuse to listadmin@xxxxxxxxxxxxxx 

Other related posts: