[ExchangeList] Re: sbs 2008 ssl cert replacement - how to do

  • From: "Michael B. Smith" <michael@xxxxxxxxxxxxxxxxxxxxxxxx>
  • To: <exchangelist@xxxxxxxxxxxxx>
  • Date: Thu, 11 Feb 2010 13:54:28 -0500

http://www.msexchange.org
-------------------------------------------------------You don't need to remove 
the old cert before you generate the CSR for the
new cert. They'll have different thumbprints even if they are otherwise
identical, and the thumbprint is what Exchange (and the Windows certificate
module) cares about.

Regards,

Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com


-----Original Message-----
From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Harondel J. Sibble
Sent: Thursday, February 11, 2010 1:45 PM
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] sbs 2008 ssl cert replacement - how to do

http://www.msexchange.org
-------------------------------------------------------Okay, recently
completed a migration from SBS 2003 to SBS 2008 including the existing SSL
cert which is due to expire in about a week.

Knowing that generally one wants a UC SSL cert for Exchange 2007 and the old
cert provider is not around anymore (registrfly) and the client being a non
profit has arrangments with IPSCA for free certs, it's time to start from
scratch.

I want to have the least amount of disruption for the end users that are
using Outlook/Mapi in the office, same over VPN and also using OWA.

Best I can tell, I'll need to remove the existing cert from IIS to generate
the new CSR for IPSCA, that'll mean that OWA no longer works and same for
RPC, but that mapi access should still work fine.

I see 2 ways around this

1) generate csr on a different unrelated machine, I have access to IIS6 on
SBS 2003, install cert and export it in pfx format along with the private
key, then import into SBS2k8/IIS7.

2) remove current cert breaking owa and rpc until new cert is provided,
generate csr and install new cert once verification is completed by IPSCA

My concerns: cert install with IIS7/Ex2k7 as talking to other admins and
doing a bit of reading, things are different in that environment where ssl
certs are concerned. I've heard and read both that you have to install the
new cert using IIS AND using the Exchange Console, other reading suggests
only one or the other is necessary to accomplish this.

Given a recent situation where I provided a new cert using method1 above to
a client's managed exchange provider and then had mail stop working for all
the staff at 3 offices after they installed it, I am leery... Everyone uses
RPC and any email sent/received that way stopped working, owa/webmail worked
but at the same time one of the mail transports died so email wasn't going
in or out. A bit of a nightmare.

I'm hoping for a smoother transition with this SBS2k8 machine.

Comments?


--
Harondel J. Sibble
Sibble Computer Consulting
Creating Solutions for the small and medium business computer user.
help@xxxxxxxxx (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice)

-------------------------------------------------------
List Archives: http://www.freelists.org/archives/exchangelist/
MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp
MSExchange Articles and Tutorials:
http://www.msexchange.org/articles_tutorials/
MSExchange Blogs: http://blogs.msexchange.org/
-------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
-------------------------------------------------------
To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp
Report abuse to listadmin@xxxxxxxxxxxxxx 


-------------------------------------------------------
List Archives: http://www.freelists.org/archives/exchangelist/  
MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp 
MSExchange Articles and Tutorials: 
http://www.msexchange.org/articles_tutorials/ 
MSExchange Blogs: http://blogs.msexchange.org/ 
-------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
-------------------------------------------------------
To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp
Report abuse to listadmin@xxxxxxxxxxxxxx 

Other related posts: