CAS transition and legacy cert
Hi,
We are transitioning our CAS 2007 to 2010. Inregards to the legacy.domain.com cert that we need to install on exchange 2007, can we use an internal PKI issued cert for that or do we need to get another one from verisign?
Does a activesync device actually use that cert for someone who is transitioning 2010 and for someone who is still on 2007?
June 10th, 2011 1:17pm
You will have to get another one.
New Server will use new server be OWA, ActiveSync etc.
Cheers,Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2011 1:20pm
My question was, can we use a PKI issued one?
June 10th, 2011 1:39pm
Can you yes, but not recommended. Reason being since it's private only domain joined computers have capability of trusting the cert so users using home computers or other outside terminals will have cert warnngs and possibly other issues. Plus you
will run into alot of headaches trying to support other services, troubleshooting headaches such as not being able to use testexchangeconnectivity.com, plus if you do forest migrations you also need additional steps when working with private certs as another
example. It just shows you to invest in the 3rd party cert.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
June 10th, 2011 2:24pm
Thanks
June 12th, 2011 11:05am
Hi,
Agree with James. If you use an internal Windows PKI issued CA and the client machine is non-client member, you need to install CA root certificate
in the client machine. So I suggest you get another one from verisign and it will be trusted automatically by non-domain clients.
For more information, you can refer to the article ‘Understanding
Digital Certificates and SSL’.
Hope this helps.
ThanksPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2011 2:21am
This is mostly for windows mobile and iphone devices who are already working on exchange 2007 before we start the transition and which we are migratiuong to 2010. That tells me the root cert should already be installed. Am I right?
June 13th, 2011 12:09pm
If you were using internal pki for 2007 then yes root cert would be there.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2011 1:47pm
Actually we are using commercial cert (not pki) for exchange 2007. Our mangement is asking if we can use a PKI cert for the legacy.domain.com space name and move the commecial one activesync.domain.com to exchange 2010 during the transition without
having to buy another commercial cert just for legacy.domain.com.
June 13th, 2011 3:17pm
I am just finishing up with something like this. All I did was add the alternate name of legacy.domain.com to my existing SAN cert. I use DigiCert and they re-issued me my certificate, I applied it to my 2007 box and to my 2010 boxes, made changes in DNS
for those record changes and additions needed, updated the various web services external URLs for Exchange 2007 (OWA, OAB, etc...) with the legacy.domain.com and life so far is good.
I did originally have a issue with my first certificate they sent me about the intermediate certificate not recognized or something like that, but I ran their repair util and rebooted and that fixed that.
I used the www.testexchangeconnectivity.com website to test ActiveSync for users in either mailbox server (2010 users and 2007 users I have yet to migrate over).
Free Windows Admin Tool Kit Click here and download it now
June 13th, 2011 6:38pm
What Tanskter did is what most people do. Yes you can swap the legacy cert but you basically run into the same same scenario as your original question.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
June 14th, 2011 12:47pm
Ok. We will go with another commercial cert since we don't have a san cert to begin with.
Free Windows Admin Tool Kit Click here and download it now
June 15th, 2011 5:28pm