Just checked our SSL for Exchange and it expires in about a months time
How do you go about renewing the certificate?
is it the same as when it was initially installed or do the SSL people just provide a new one?
We are using Exchange 2010 and TMG 2010
It's more or less the same. Tell IIS that you want to renew it, let it generate a CSR and send that off for signing. The only difference in a renewal is that you don't generate a new key first.
Also as a general rule I would export your cert (including private key part, if it asks you to set an export password your doing it right) to pfx so you have a backup pair.
Ok I think I understand this, but..
in Ex2010 there is an option to "renew cert.." this generates a <name>.req ?? and adds a pending cert to EMC
In IIS7 (on Exchange server) i can highlight the cert and click renew and submit later - this then gets saved as a .txt file with the ---begin--- & ---end-- tags
is it one or both of these I need?
What about my SANs? are they auto-renewed if one of the files above are sent in?
Are you generating your own certificates? I'm guessing not from your OP. If you generate your own then renewal is far easier.
If you mean Self Signed then no,
We created a request then sent it to GeoTrust who then sent us back a signed certificate
Its how to renew that GeoTrust certificate for another year...
If you use a lot of certificates it might be cheaper to use one of theirs for your trusted root then issue your own. It's certainly quicker to renew as you can issue the renewed certificate instantly. they can take up to 3 months - ok if you've plenty of time but, if like me you forget to renew in time and your certificate suddenly expires, you're up the creek for 3 months.
If you do renew online (use the request you generated from Exchange & paste into the GeoTrust online form) it's easy enough to then change the certificate in Exchange - import the new one to Exchange (via Server Configuration) then pick the new certificate in IIS on your exchange server. If you're authenticating at TMG you'll also have to import the new certificate to the TMG server & change it there too.
Yeah we authenticate via TMG - so will need to update that as well.
As for the exchange - how do I open the .REQ file - if i open it in notepad I get a string of gobble-de-gook characters.. :S
The IIS one is what I use. It depends though on what you punch through.
For us we only use IIS based stuff so I didnt think we needed the *exchange* cert which costs more. All I did was generate the request on iis (using external address) and submit it and get a cert back which I imported to TMG. I then told tmg to use that cert for the external url and set the iis to use an internal CA cert. Because TMG can chain it together it all works well as they are all trusted.
One thing, you dont need the cert to be actually installed to exchange really. As long as the exchange IIS is using a valid internal CA cert then basically TMG does the bridge between the two.
The req file should start with the line -----BEGIN NEW CERTIFICATE REQUEST----- and end with -----END NEW CERTIFICATE REQUEST----- with a load of encrypted stuff between. Cut & paste this (including the BEGIN and END lines) into the renewal page on the GeoTrust website.
Originally Posted by Gatt
Hmm.. the req file doesnt show that at all - it does this..