November 13, 2018

Microsoft Store

Renew Exchange 2010 UCC SSL certificate.

In these days all Exchange 2010 UCC SSL Certificate expired, i’ve created this

guide that saves you time to solving every problem interferes with the way

to the renewal of the golden certificate.    

In this guide (Renew Exchange 2010 UCC SSL certificate) there is a new problems that you need to pay

attention and a few Exchange 2010 server changes that you need to make. 

Relax and let’s get Started….

Step 1

Open Exchange Management Console and click Server Configuration.

In the “exchange certificate tab” there is a list of all exchange server certificates.

Note: when the exchange certificate going to expired you can see the certificate with a yellow triangle.

in the event viewer MSExchangeTransport error with event ID 12018 present.

“The STARTTLS certificate will expire soon: subject: , thumbprint: : 61. Run the New-ExchangeCertificate cmdlet to create a new certificate.”

Renew Exchange 2013 server certificate.

Right click on the certificate that you need to renew and click > “Renew Exchange Certificate

Step 2

Generating the certificate to REQ file:

Click “Browse” to save the REQ file and click “Renew“.

After generate CSR certificate, open the REQ file with notepad, see the content of the CSR file with BEGIN and END

—–BEGIN NEW CERTIFICATE REQUEST—–

  —–END NEW CERTIFICATE REQUEST—–

Pending CSR present in the exchange certificate.

Step 3

Generate Godaddy UCC certificate.

Login to your Godaddy account on “SSL CERTIFICATES“click manage:

Certificate management option will present, click “Renew Certificate

Open the REQ file that you created above and copy paste the content of the file (include the Begin and End)”Provide a certificate signing request (CSR)“.

Certificate renewal present the error “SANs added” (over limit)

Note: Godaddy is using FQDN  its means all internal address not allow in the certificate.

To allow internal address you need to reconfigure the server to accept FQDN.

Later in this guide, i will explain how to allow FQDN to internal owa, autodiscover, continues to work by split DNS zone.

To generate the certificate successfully, you need to remove all Internal address and leave the external address  www, owa, autodiscover.

Click “Request Certificate

UCC Certificate verification progress is started…

When the verification progress is Done, you can download the renewal certificate.

Step 4

Extract the 2 certificate files CRT file and p7b file.

.crt – security certificate

.p7b – PKCS #7 Certificates

Now go back to the exchange server management in the pending CSR right click and click “Complete Pending Request

Complete pending request wizard present, click “Browse” to import the .CER file and go to the extraction location in the drop down file extension add All Files(*.*)

Last click complete to “complete” the importing process.

When the process complete you need to assign the certificate to POP, IMAP, SMTP, IIS.

Right click on the certificate that you imported and add “assign Service to certificate” and complete the assign service certificate process.

Okay … We’re done with the server’s certificate renewal.

Everything works great for the users from external networks,  but in the internal network it’s a different story (also you can’t access to OWA and WWW company web site),

You start to receive a phone call from users that they get Security alert when opening Outlook.

Note: To fix this problem follow this steps (its very easy), first we need to split DNS to forward external address to internal address, second we need to update IIS to external to internal address.

Step 5

Open DNS manager to create a new Zone, right click on “forward lookup zone” New zone wizard present.

<Domain.com> is your external domain name.

<domain.com> zone created.

Step 6

Now you need to create Two CNAME records (OWA record needs to create first, then create Autodiscover) to access OWA, One  WWW host record, with an external IP address, when your company web site hosted.

Add “host” record to domain.com zone point to external IP address and remove the check box from “create associated pointer (PTR) record“. (Any records in the domain.com external address, You need to added in the new DNS zone to allow users to access from the internal network).

Add “WWW” record to domain.com zone point to External IP address.

Add “OWA” record to domain.com zone point to your internal exchange server.

Browse to domain.lan exchange server host name.

Add “autodiscover” record to domain.com zone point to owa.domain.com.

You’re done to create www,owa,autodiscover records.

Note: you still don’t have access to OWA external addtess, to make it work you need to reconfigure exchange server FQDN.

Last but not least, you need to reconfigure Microsoft Exchange server to use Fully Qualified Domain Name.

Step 7

Open Exchange Management Shell and reconfigure autodiscover internal url, web services, offline address book internal url, ActiveSync internal url, OWA internal url.

Enter these commands in the same order as below. (You also can change it, in exchange management >server configuration > client access and change the internal URL’s)

Set-ClientAccessServer -Identity -AutodiscoverServiceInternalUri https://owa.domain.com/autodiscover/autodiscover.xml

Set-OWAVirtualDirectory -Identity “\owa (default web site)” -InternalURL https://owa.domain.com/owa

Set-OABVirtualDirectory -Identity “\oab (default web site)” -InternalURL https://owa.domain.com/oab

Set-ActiveSyncVirtualDirectory -Identity “\Microsoft-Server-ActiveSync (default web site)” -InternalURL https://owa.domain.com/Microsoft-Server-ActiveSync

Set-ECPVirtualDirectory -Identity “\ecp (default web site)” -InternalURLhttps://owa.domain.com/ecp

Set-WebServicesVirtualDirectory -Identity “\ews (default web site)” -InternalURL https://owa.domain.com/ews/exchange.asm

After you have done successfully, you need to recycle application pool  in the IIS manager:

  1. Open IIS Manager.
  2. Expand the local computer, and then expand Application Pools.
  3. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle

Now check with the commands below if the internalURL and externalURL are the same (external URL).

  1. Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
  2. Get-WebServicesVirtualDirectory |fl identity,internalurl,externalurl

if the URL’s are the same,  your Journey to the golden certificate are finished successfully.

You have done to renew exchange 2010 UCC SSL certificate.

Good luck and enjoy

useful links:

check autodiscover link – http://autodiscover./autodiscover/autodiscover.xml

check ActiveSync connectivity – https://testconnectivity.microsoft.com/

About The Author

Related posts

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *