+ Post New Thread
Results 1 to 12 of 12
How do you do....it? Thread, SSL Renewals in Technical; Just checked our SSL for Exchange and it expires in about a months time How do you go about renewing ...
  1. #1

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498

    SSL Renewals

    Just checked our SSL for Exchange and it expires in about a months time

    How do you go about renewing the certificate?
    is it the same as when it was initially installed or do the SSL people just provide a new one?

    We are using Exchange 2010 and TMG 2010

  2. #2

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    It's more or less the same. Tell IIS that you want to renew it, let it generate a CSR and send that off for signing. The only difference in a renewal is that you don't generate a new key first.

  3. #3

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,631
    Thank Post
    890
    Thanked 1,314 Times in 798 Posts
    Blog Entries
    1
    Rep Power
    441
    Also as a general rule I would export your cert (including private key part, if it asks you to set an export password your doing it right) to pfx so you have a backup pair.

  4. #4

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498
    Ok I think I understand this, but..

    in Ex2010 there is an option to "renew cert.." this generates a <name>.req ?? and adds a pending cert to EMC
    In IIS7 (on Exchange server) i can highlight the cert and click renew and submit later - this then gets saved as a .txt file with the ---begin--- & ---end-- tags

    is it one or both of these I need?
    What about my SANs? are they auto-renewed if one of the files above are sent in?

  5. #5

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    Are you generating your own certificates? I'm guessing not from your OP. If you generate your own then renewal is far easier.

  6. #6

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498
    If you mean Self Signed then no,
    We created a request then sent it to GeoTrust who then sent us back a signed certificate
    Its how to renew that GeoTrust certificate for another year...

  7. #7

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    If you use a lot of certificates it might be cheaper to use one of theirs for your trusted root then issue your own. It's certainly quicker to renew as you can issue the renewed certificate instantly. they can take up to 3 months - ok if you've plenty of time but, if like me you forget to renew in time and your certificate suddenly expires, you're up the creek for 3 months.
    If you do renew online (use the request you generated from Exchange & paste into the GeoTrust online form) it's easy enough to then change the certificate in Exchange - import the new one to Exchange (via Server Configuration) then pick the new certificate in IIS on your exchange server. If you're authenticating at TMG you'll also have to import the new certificate to the TMG server & change it there too.

  8. #8

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498
    Yeah we authenticate via TMG - so will need to update that as well.

    As for the exchange - how do I open the .REQ file - if i open it in notepad I get a string of gobble-de-gook characters.. :S

  9. #9

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,631
    Thank Post
    890
    Thanked 1,314 Times in 798 Posts
    Blog Entries
    1
    Rep Power
    441
    The IIS one is what I use. It depends though on what you punch through.
    For us we only use IIS based stuff so I didnt think we needed the *exchange* cert which costs more. All I did was generate the request on iis (using external address) and submit it and get a cert back which I imported to TMG. I then told tmg to use that cert for the external url and set the iis to use an internal CA cert. Because TMG can chain it together it all works well as they are all trusted.

  10. #10

    ZeroHour's Avatar
    Join Date
    Dec 2005
    Location
    Edinburgh, Scotland
    Posts
    5,631
    Thank Post
    890
    Thanked 1,314 Times in 798 Posts
    Blog Entries
    1
    Rep Power
    441
    One thing, you dont need the cert to be actually installed to exchange really. As long as the exchange IIS is using a valid internal CA cert then basically TMG does the bridge between the two.

  11. #11

    Join Date
    Jun 2007
    Location
    London
    Posts
    894
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    55
    Quote Originally Posted by Gatt View Post
    As for the exchange - how do I open the .REQ file - if i open it in notepad I get a string of gobble-de-gook characters.. :S
    The req file should start with the line -----BEGIN NEW CERTIFICATE REQUEST----- and end with -----END NEW CERTIFICATE REQUEST----- with a load of encrypted stuff between. Cut & paste this (including the BEGIN and END lines) into the renewal page on the GeoTrust website.

  12. #12

    Gatt's Avatar
    Join Date
    Jan 2006
    Posts
    6,644
    Thank Post
    858
    Thanked 645 Times in 428 Posts
    Rep Power
    498
    Hmm.. the req file doesnt show that at all - it does this..

    req_file.PNG

SHARE:
+ Post New Thread

Similar Threads

  1. Do I need SSL?
    By mrwalker in forum EduGeek Joomla 1.5 Package
    Replies: 2
    Last Post: 11th July 2009, 07:55 PM
  2. SSL and squrrelmail
    By HodgeHi in forum Mac
    Replies: 2
    Last Post: 24th January 2008, 01:25 PM
  3. ssl certificates
    By PEO in forum General Chat
    Replies: 4
    Last Post: 4th January 2008, 09:14 PM
  4. Apache2 SSL
    By Jackd in forum *nix
    Replies: 12
    Last Post: 5th December 2007, 01:15 PM
  5. VPN showdown: IPSec vs SSL vs client-less SSL
    By ITWombat in forum Wireless Networks
    Replies: 9
    Last Post: 25th September 2006, 09:35 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •