In these days all Exchange 2010 UCC SSL Certificate expired, i’ve created this
guide that saves you time to solving every problem interferes with the way
to the renewal of the golden certificate.
In this guide (Renew Exchange 2010 UCC SSL certificate) there is a new problems that you need to pay
attention and a few Exchange 2010 server changes that you need to make.
Relax and let’s get Started….
Open Exchange Management Console and click Server Configuration.
In the “exchange certificate tab” there is a list of all exchange server certificates.
Renew Exchange 2013 server certificate.
Right click on the certificate that you need to renew and click > “Renew Exchange Certificate”
Generating the certificate to REQ file:
Click “Browse” to save the REQ file and click “Renew“.
Generate Godaddy UCC certificate.
Login to your Godaddy account on “SSL CERTIFICATES“click manage:
Certificate management option will present, click “Renew Certificate“
Open the REQ file that you created above and copy paste the content of the file (include the Begin and End)”Provide a certificate signing request (CSR)“.
Certificate renewal present the error “SANs added” (over limit)
To generate the certificate successfully, you need to remove all Internal address and leave the external address www, owa, autodiscover.
Click “Request Certificate”
UCC Certificate verification progress is started…
When the verification progress is Done, you can download the renewal certificate.
Extract the 2 certificate files CRT file and p7b file.
.crt – security certificate
.p7b – PKCS #7 Certificates
Now go back to the exchange server management in the pending CSR right click and click “Complete Pending Request“
Complete pending request wizard present, click “Browse” to import the .CER file and go to the extraction location in the drop down file extension add All Files(*.*)
Last click complete to “complete” the importing process.
When the process complete you need to assign the certificate to POP, IMAP, SMTP, IIS.
Right click on the certificate that you imported and add “assign Service to certificate” and complete the assign service certificate process.
Okay … We’re done with the server’s certificate renewal.
Everything works great for the users from external networks, but in the internal network it’s a different story (also you can’t access to OWA and WWW company web site),
You start to receive a phone call from users that they get Security alert when opening Outlook.
Now you need to create Two CNAME records (OWA record needs to create first, then create Autodiscover) to access OWA, One WWW host record, with an external IP address, when your company web site hosted.
Add “host” record to domain.com zone point to external IP address and remove the check box from “create associated pointer (PTR) record“. (Any records in the domain.com external address, You need to added in the new DNS zone to allow users to access from the internal network).
You’re done to create www,owa,autodiscover records.
Last but not least, you need to reconfigure Microsoft Exchange server to use Fully Qualified Domain Name.
Open Exchange Management Shell and reconfigure autodiscover internal url, web services, offline address book internal url, ActiveSync internal url, OWA internal url.
Enter these commands in the same order as below. (You also can change it, in exchange management >server configuration > client access and change the internal URL’s)
After you have done successfully, you need to recycle application pool in the IIS manager:
- Open IIS Manager.
- Expand the local computer, and then expand Application Pools.
- Right-click MSExchangeAutodiscoverAppPool, and then click Recycle
Now check with the commands below if the internalURL and externalURL are the same (external URL).
- Get-ClientAccessServer |fl identity,autodiscoverserviceinternaluri
- Get-WebServicesVirtualDirectory |fl identity,internalurl,externalurl
if the URL’s are the same, your Journey to the golden certificate are finished successfully.
You have done to renew exchange 2010 UCC SSL certificate.
Good luck and enjoy