[ExchangeList] Re: sbs 2008 ssl cert replacement - how to do
- From: Simon Butler <simon@xxxxxxxxxxxx>
- To: "exchangelist@xxxxxxxxxxxxx" <exchangelist@xxxxxxxxxxxxx>
- Date: Thu, 11 Feb 2010 22:19:00 +0000
http://www.msexchange.org
-------------------------------------------------------
I really must blog this...
Certificates in SBS 2008 are a real pain.
Whatever you do, you don't use IIS for the certificate generation. You have two
options.
1. You use the wizard.
2. You use the Exchange management shell.
The wizard makes a major presumption - that you are using SRV records for
Autodiscover. It creates a request for a single name SSL certificate -
remote.example.com if you have followed the recommendations and expects you to
make the SRV record changes that are required. However most domain name service
providers do not support SRV records. Of course those in the list within SBS
for DNS services do.
The comments in this article from Sean Daniel clearly show the presumption of
SRV records use, which is a poor show from Microsoft in my opinion:
http://sbs.seandaniel.com/2009/02/installing-godaddy-standard-ssl.html
Therefore you must use the Exchange Management Shell.
On the plus side, this will not affect your live certificate, because it
doesn't go live until the certificate is enabled.
On the downside, using EMS to install the certificate breaks the web services
of SBS.
Therefore the thing to do is use EMS as normal, generating the request. Once
you have the response, do not install it until you are ready for the downtime.
Install the certificate as normal. The web services in SBS (RWW etc) will then
break.
Then use the Fix My Network wizard in SBS to correct everything. That should
reset the web server bindings. The SBS best practises analyser (free download
from Microsoft - link on my Exchange resources site at http://exbpa.com ) will
also flag the broken bindings if the Fix My Network wizard doesn't resolve it.
Instructions for doing the certificate request, installation etc are on my blog
here: http://blog.sembee.co.uk/archive/2008/05/30/78.aspx
I should be doing an SBS 2008 certificate installation within the next couple
of days and I will document and blog the exact steps as this isn't the first
time this question has come up.
Simon.
--
Simon Butler
MVP: Exchange, MCSE
Sembee Ltd.
e: simon@xxxxxxxxxxxx
w: http://www.sembee.co.uk/
w: http://www.amset.info/
w: http://blog.sembee.co.uk/
Need cheap certificates for Exchange, compatible with Windows Mobile 5.0?
http://CertificatesForExchange.com/ for certificates from just $23.99.
Need a domain for your certificate? http://DomainsForExchange.net/
Exchange Resources: http://exbpa.com/
-----Original Message-----
From: exchangelist-bounce@xxxxxxxxxxxxx
[mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Harondel J. Sibble
Sent: 11 February 2010 19:02
To: exchangelist@xxxxxxxxxxxxx
Subject: [ExchangeList] Re: sbs 2008 ssl cert replacement - how to do
http://www.msexchange.org
-------------------------------------------------------Hmm, is that something
new in IIS7? Under 6 it won't let you generate a new csr until you remove the
existing cert...
Or is this a function of having to use the Exchange 2007 console to install the
cert?
Which is the correct way to install a new cert on Ex2k7/IIS7? As I noted.
I've seen it suggested both ways as "THE" way to do it.
On 11 Feb 2010 at 13:54, Michael B. Smith wrote:
> http://www.msexchange.org
> -------------------------------------------------------You don't need
> to remove the old cert before you generate the CSR for the new cert.
> They'll have different thumbprints even if they are otherwise
> identical, and the thumbprint is what Exchange (and the Windows
> certificate
> module) cares about.
--
Harondel J. Sibble
Sibble Computer Consulting
Creating Solutions for the small and medium business computer user.
help@xxxxxxxxx (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice)
-------------------------------------------------------
List Archives: //www.freelists.org/archives/exchangelist/
MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp
MSExchange Articles and Tutorials: http://www.msexchange.org/articles_tutorials/
MSExchange Blogs: http://blogs.msexchange.org/
-------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
-------------------------------------------------------
To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp
Report abuse to listadmin@xxxxxxxxxxxxxx
-------------------------------------------------------
List Archives: //www.freelists.org/archives/exchangelist/
MSExchange Newsletter: http://www.msexchange.org/pages/newsletter.asp
MSExchange Articles and Tutorials: http://www.msexchange.org/articles_tutorials/
MSExchange Blogs: http://blogs.msexchange.org/
-------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
-------------------------------------------------------
To unsubscribe visit http://www.msexchange.org/pages/exchangelist.asp
Report abuse to listadmin@xxxxxxxxxxxxxx
Other related posts:
