+ Post New Thread
Results 1 to 9 of 9
Internet Related/Filtering/Firewall Thread, Urgent: Help needed with Exchange SSL certificate in Technical; Hey everyone, So I found out about an hour ago that our SSL certificate has expired. So the VLE and ...
  1. #1
    jamin100's Avatar
    Join Date
    Feb 2008
    Location
    Birmingham
    Posts
    1,036
    Thank Post
    141
    Thanked 98 Times in 78 Posts
    Rep Power
    33

    Urgent: Help needed with Exchange SSL certificate

    Hey everyone,

    So I found out about an hour ago that our SSL certificate has expired.
    So the VLE and Exchange 2007 server are now only available locally and not externally, which is no good when the staff are not in school.

    Having not set this up before im struggling a bit in what goes where etc.

    Ive just brought a 3 year Standard UCC SSL 5 slot certificate from GoDaddy and am trying to follow the guide here Generating a Certificate Signing Request (CSR) - Exchange Server 2007 | Go Daddy Help | GoDaddy Support but im stuck at step 4. Specifically

    our FQDN is domain.schoolname.bham.sch.uk so is this what I put in for the FQDN even though our website is just schoolname.bham.sch.uk ?

    Then I get to this point:

    Code:
    -domainname  The comma-separated list of additional domains that are included in your certificate and referred to as Subject Alternative Names (SANs). Deciding what SANs to use depends on the services you are running. You need to know how your server is configured to properly secure everything. But, depending on your configuration, consider adding the following SANs:
    
    • The external name that people use to send and receive mail: mail.yourdomain.com. Where yourdomain.com is your domain.
    • The Fully Qualified Domain Name: yourdomain.com. Where yourdomain.com is your domain.
    • The local name: yourdomain.local. Where yourdomain.local Is the local name of your server.
    • The name for your Autodiscover services (Autodisover automatically configures profile settings to work with mobile phones and other services): autodiscover.yourdomain.com. Where yourdomain.com is your domain name.
    • To use Outlook Web Access internally, you need to include two NetBIOS names: owa1.yourdomain.local and owa1. Where yourdomain.local is the NetBIOS name of the server.
    so, our VLE and OWA both use https://portal.schoolname.bham.sch.uk is this all I need to add there?
    Whats this autodiscover.yourdomain.com? So I need to specify that and how do I tell what mine is?

    Any help with this would be appreciated as Ive only recently taken over and had no idea this was set to expire

    Thanks

  2. #2
    jamin100's Avatar
    Join Date
    Feb 2008
    Location
    Birmingham
    Posts
    1,036
    Thank Post
    141
    Thanked 98 Times in 78 Posts
    Rep Power
    33
    Right, just for a bit more info, this is the information from the expired certificate

    Code:
    CertificateDomains : {ExchSvr.domain.schoolname.bham.sch.uk}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=School Name CA, DC=domain, DC=schoolname, DC=bham,
                         DC=sch, DC=uk
    NotAfter           : 29/12/2013 16:23:52
    NotBefore          : 30/12/2011 16:23:52
    PublicKeySize      : 2048
    RootCAType         : Enterprise
    SerialNumber       : 
    Services           : IMAP, POP
    Status             : DateInvalid
    Subject            : CN=ExchSvr.domain.schoolname.bham.sch.uk
    Thumbprint         :

  3. #3

    Join Date
    Jan 2013
    Location
    Romford
    Posts
    173
    Thank Post
    61
    Thanked 34 Times in 27 Posts
    Rep Power
    9
    An example I found online for the step 4 part was:

    New-ExchangeCertificate -domainname mail.google.com, google.com, google.local, autodiscover.google.com, server01.google.com, server01 -Friendlyname google.com -generaterequest:$true -keysize 2048 -path c:\certrequest.txt -privatekeyexportable:$true -subjectname "c=US, o=Google Inc., cn=server01.google.com, s=California, l=Mountain View, ou=IT"
    Source: How to use SSL Certificates with Exchange 2007

    I admit now I haven't ever had to deal with SSLs in Exchange, however I hope I have helped in some way :-)

  4. #4
    jamin100's Avatar
    Join Date
    Feb 2008
    Location
    Birmingham
    Posts
    1,036
    Thank Post
    141
    Thanked 98 Times in 78 Posts
    Rep Power
    33
    Ok,

    Do I need a separate certificate for portal.domain.schoolname.bham.sch.uk and exchsvr.domain.schoolname.bham.sch.uk as they seem to have both expired

  5. #5

    Join Date
    Jan 2013
    Location
    Romford
    Posts
    173
    Thank Post
    61
    Thanked 34 Times in 27 Posts
    Rep Power
    9
    Should be able to just add it onto the --domainname if I'm not mistaken?

  6. #6
    jamin100's Avatar
    Join Date
    Feb 2008
    Location
    Birmingham
    Posts
    1,036
    Thank Post
    141
    Thanked 98 Times in 78 Posts
    Rep Power
    33
    lol, I have no idea.
    So, if I add it in -domainname I get the certificate generated and then import it into exchange and then IIS on the sharepoint server?

  7. #7

    Join Date
    Jan 2013
    Location
    Romford
    Posts
    173
    Thank Post
    61
    Thanked 34 Times in 27 Posts
    Rep Power
    9
    I'm in the same boat as you haha, just trying to think of it logically

    Was there a separate SSL bought for portal? Might as well try with the --domainname and see what happens, doubt it will hurt adding an extra domain into the SSL, even if it ends up not being able to link to portal.

  8. #8
    jamin100's Avatar
    Join Date
    Feb 2008
    Location
    Birmingham
    Posts
    1,036
    Thank Post
    141
    Thanked 98 Times in 78 Posts
    Rep Power
    33
    No doesn't work.
    It says

    Code:
    New-ExchangeCertificate : Cannot bind parameter 'DomainName'. Cannot convert value "-PrivateKeyExportable:" to type "Microsoft.Exchange.Data.SmtpDomainWithSub
    domains". Error: "Invalid SMTP domain"
    If I take out -domainname then it creates the certreq file fine
    I should add that im trying to generate this from the exchange management shell in 2007

    No idea if they were brought seperatly as I only started in September

  9. #9
    jamin100's Avatar
    Join Date
    Feb 2008
    Location
    Birmingham
    Posts
    1,036
    Thank Post
    141
    Thanked 98 Times in 78 Posts
    Rep Power
    33
    Solved this last night.
    Didn't need the ssl brought from go daddy as the There is a CA server on the domain capable of issuing certificates.

    Played with this and eventually got both the VLE and external access to email fixed

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 5
    Last Post: 1st July 2014, 08:34 AM
  2. Replies: 13
    Last Post: 22nd August 2013, 06:38 PM
  3. URGENT HELP NEEDED Exchange 2010
    By bart21 in forum Enterprise Software
    Replies: 5
    Last Post: 22nd April 2011, 04:36 PM
  4. Replies: 11
    Last Post: 6th September 2007, 07:10 PM
  5. Replies: 4
    Last Post: 15th March 2007, 08:48 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •