SSL Question on Exchange Web Access....

[R.O.S.S.I]

Hi all, currently got an SSL cert for our Outlook Web Access on Exchange 2007, we've just migrated everyone over to Outlook Web Apps/Exchange 2010.

Am I OK to just remove the SSL cert from the 2007 server, create a new request on the 2010 server, pass this onto our SSL provider to reissue a cert and reinstall on the 2010 server so that the Web Apps is secure?

Thanks.

 

[Mr.Si]

That sounds about right, yes.

Who do you use for your SSL Certificate Authority?
We use GoDaddy and they can even "ReKey" them, which is quite useful.

Si

 

[R.O.S.S.I]

Cool, we use Comodo, i've got a new cert req off the 2010 server which i've submitted to them in our web control panel thingy and now it says awaiting validation so hopefully it should be sorted in a day or two!

 

[Mr.Si]

Good stuff. Yeah we used to use them and then their validation thing annoyed us, so we changed and now everwhere does that anyway! Comodo seem to have a good trust already. Once this is done, it may solve the issue with phones synching.

 

[R.O.S.S.I]

Once I've put the new certificate in IIS will it stop these prompts coming up for users when they open Outlook? Or is this something different again?

 

[Mr.Si]

What is the common name of the certificate?
And yes, it will stop the top of the 3 crosses in each dialog box, so long as Comodo's root or intermediate certificates are installed. (I think they are by default)

Si

 

[R.O.S.S.I]

Think the common name is mail.earlybreak.co.uk

 

[R.O.S.S.I]

I've applied the SSL now which seems to have got rid of the prompt for the mail.earlybreak.co.uk but the Exchange-02 ones have changed so that the top 2 are ticked and the bottom one isnt!

It says "The name on the security certificate is invalid or does not match the name of the site"

Arrrggghhhh, anyone any ideas?

 

[#Chri5#]

What names did you put in the UCC / SAN cert? I just looked at the certificate properties (assuming the FQDN you posted above is actually you) and there only seem to be two SANs:

DNS Name: mail.earlybreak.co.uk
DNS Name: www.mail.earlybreak.co.uk

 

[R.O.S.S.I]

What names did you put in the UCC / SAN cert? I just looked at the certificate properties (assuming the FQDN you posted above is actually you) and there only seem to be two SANs:

Not sure really. What is a SAN? Is that the actual certificate on the server itself in the management console? Can I redo this?! Sorry i'm not much help, trying to pick this up as I go!

 

[#Chri5#]

SAN - Subject Alternative Name. AKA UCC (Unified Communications Certificates).

These let you have a single SSL certificate which can "respond" on several names eg mail.mydomain.com (external), Exchange-02 (internal) and Exchange-02.mydomain.local (internal FDQN). You specify the SANs when you generate the CSR (Certificate Signing Request) on your server.

Digicert have a tool which will generate the PowerShell (with the SANs) to paste into Exchange Management Shell. They also have notes on what names to put into a SSL UCC

 

[R.O.S.S.I]

Hi Chri5, thanks for that info.

At current I have an SSL cert signed which I use on the IIS on the Webserver for the Outlook Web Access.

Can I use this cert for the SAN? Would I already have an Exchange SAN certificate on our old exchange? How would I check?! Can this be transferred across if so!?

Or do I need to buy a new certificate or something?!

Sorry, im massively confused!

 

[Mr.Si]

Sounds like you have an SSL Cert which is for one name only (mail.earlybreak.co.uk).

When you're internal, just use the same url as when external and it should be fine. (You may need to play around with DNS to make that url point to the internal IP address if it doesn't work).

But now you have the SSL for mail.earlybreak.co.uk, just use that address and forget about the internal server names.

 

[R.O.S.S.I]

Cheers guys, think I've sorted it now!