Renew thrid Party
Hello,
I need to renew a ThirdParty certificate (multi-domain / SAN) in my organization (exchange 2007).
That certificate is install onto the ISA server and Hubcas (same thumprint)
I provides a new CSR by running: New-ExchangeCertificate -GenerateRequest -Path C:\mail_company_com.csr -KeySize 2048 -SubjectName "CN=mail.company.com, OU=Exchser01, O=company, L=Paris, S=IDF, C=FR" -DomainName autodiscover.comp-any.com, autodiscover.company.com,
mail.comp-any.com -PrivateKeyExportable $True
And I have submitted the SCR to my vendor to obtain a certificate.
As I have never done it before, I would like to be sure about the next steps...
So, shall I import the CSR after the certificate is returned from a CA and run the below command?
Import-ExchangeCertificate -Path "C:\mail_company_com.csr"
And then enbale it:
Enable-ExchangeCertificate -Thumbprint 51dfkjhw92342910912nmkj2300i1 -Services "IMAP, POP, IIS, SMTP"
--> How do I proceed on the ISA server (ISA 2006)? Shall I export the certificate from the Hubcas and import it onto the ISA?
Many thanks,
Graig
January 7th, 2011 3:25am
here is a good video on this topic
http://www.msexchange.org/articles_tutorials/videos/exchange-server-2010/video-certificate-wizard-Exchange-2010.html
Dhruv
Free Windows Admin Tool Kit Click here and download it now
January 7th, 2011 3:57am
I have seen that video. And understand that the import and enable should be ran on the EMS... I am not using 2010 and can't use EMC.
I am still not quite sure about the manipulation on the ISA server. The thumprint is the same on hubcas and ISA. I wonder how that certificate will be updated? Would that come from an export of that hubcas certificat using MMC and import that certificate
still using MMC but on the Isa server?
January 7th, 2011 7:56am
I would like to add that I have done the CSR creation on the HubCas and obtain the certificate from my vendor.
I will then import and enable that certificate on the hubcas.
I wonder where else that certificate should be "install". I have seen before renewing my Third party certificate that my ISA server has the same thumprint that my hubcas.
-> So I now wonder whether after installing my certificate on the hubcas I should export it and import it on the ISA server?
-> Shall I renew or import anything on the Edge server?
Many thanks in advance,
Graig
Free Windows Admin Tool Kit Click here and download it now
January 11th, 2011 3:24am
Hi Graig,
Make sure you have installed SP1 for ISA 2006 first, it supports multiple SANs:
ISA Server 2006 Service Pack 1 Features
http://blogs.technet.com/b/isablog/archive/2008/05/23/isa-server-2006-service-pack-1-features.aspx
Then you can use the cmdlet Export-ExchangeCertificate to export the certificate to .pfx file:
Export-ExchangeCertificate
http://technet.microsoft.com/en-us/library/aa996305(EXCHG.80).aspx
After that, you can import the certificate to ISA server:
Details, please see:
Publishing Exchange Server 2007 with ISA Server 2006
http://technet.microsoft.com/en-us/library/bb794751.aspx
You don't need to import the certificate to the EDGE server, make sure the self-signed certificate is not expired on Edge. If there are error events about the EDGE sync, please re-subscribe the Edgesync.
Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
January 11th, 2011 9:41pm
Hello Frank,
Thank you for your input.
-> In fact the multiple fully qualified domain name SAN certificate was already installed last year. So I guess the renew should not interfert with the ISA server.
-> Once I ran the Import-ExchangeCertificate -Path "C:\mail_company_com.csr" and Enable-ExchangeCertificate -Thumbprint 51897429nmnxxxxx -Services "IMAP, POP, IIS, SMTP" From the HUBCAS1.
Could I export the certificate using the MMC console? Shall I then install it on the other HUBCAS2 as well?
The edge server will expire in March, so it ok!
Last thing I have notice that the certificate on the mailbox server has the same thumprint than the hubcas and Isa one. So renewing the third party imply to import the certificat onto the mailbox servers as well or not?
--> I did find loads of usefull information on Internet but not much about the order or on which servers certificat should be imported and on which one it should be installed. If you know about a article that I haven't seen yet, please pass me the information.
Many thanks,
Graig
Free Windows Admin Tool Kit Click here and download it now
January 12th, 2011 10:51am
I have done the manipulation.
I have run the Import-ExchangeCertificate -Path c:\mycert.crt
Then export that certificate with the public key and install it on the other hubcas and ISA server (on the ISA serveur you gotta change the listen port and I had to install a KB because of my french interface
http://support.microsoft.com/kb/982181 )
After you have import your certificate your should enable it on bother Hubcas:
Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxxxxxx -Services "IMAP, POP, IIS, SMTP"
and remve the prior certificate.
this is it.
Graig
January 19th, 2011 4:30am