SSL Cert Renewal w/Org Name Change
Hello,
We get our SSL certs from a central agency that deals with Verisign. The central agency changed their name, which changes the Organization Name on the cert. That prevents the cert from being imported by the server. On the advice of a Windows admin, I tried to fake it by creating a new site on that server, importing the new cert (all good), but then the new server won't start.
Is there a better way to get the new-org-named cert accepted by the original site?
Steve Kayner
Are you talking about changing your SMTP domain name? Or you want to change AD DS domain name? If you want to change/add SMTP domain that you Exchange is using, just add accepted domain that you wish to use.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Damir
Similar Messages
-
Exchange SSL cert renewal on SBS 2011
My SBS 2011 certificate was coming up for renewal. I followed the usual steps by requesting a new one (GoDaddy) using the SBS console. When I recieved the new certificaye, I installed it and everything looked good. However, I get the following message in my daily report. I have a new certificate and it is installed via the console.How do I apply this certificate to the exchange portion?
MSExchange Web Services 25 7/26/2015 6:47:59 PM 1 Event Details: The Exchange certificate [Subject] CN=remote.company.com, OU=Domain Control Validated [Issuer] CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US [Serial Number] 27C233A90E9354 [Not Before] 7/28/2014 10:18:27 AM [Not After] 7/28/2015 10:18:27 AM [Thumbprint]...
This topic first appeared in the Spiceworks CommunityHi,
SBS 2011 Essentials is designed to host you e-mail outside your network on a hosted solution like Office 365. So if you want exchange functionality you need to configure your server to use office 365 or any other hosted exchange solution.
Here is some information: http://blogs.technet.com/b/sbs/archive/2011/06/30/sbs-2011-essentials-and-office-365-great-value-for-our-customers.aspx
So no exchange installed locally this would also not be supported, because if you want that you need to go for SBS 2011 standard, which includes a locally installed exchange server.
Ref: http://social.technet.microsoft.com/Forums/en-US/e6957002-70c2-4f62-8bcd-cf3f5ccbb600/exchange-2010-on-sbs-2011-essentials?forum=smallbusinessserver -
NAC appliance: SSL certs renewal
Hello!
I have the following question:
SSL certificates are going to expire soon on my NAC Mgr, Srv and NGS. So after I'll generate new CSRs will the existing certficates still be valid and used?
All systems are in production, and I don't have any testing enviroment to check, may be someone has done it already.If you use the same CSR that you generated for the original cert, then you just import the new cert and it will be replaced. I didn't try to generate a new cert as I wasn't sure if it would overwrite the old private key.
-
Changing SSL Cert, how do you update the trust profile for devices.
I am in the process of changing out the ssl cert for the trust profile (going from a self-signed to a signed cert). How do you update the trust profile on the devices already paired with the server.
Yes, the linked smart object can be either raster or vector, but they will be placed as raster images, just as the embedded SO are. SO can be embedded or linked to an outside file. Edits to the original will not update in the original until you select "Update modified content from the menu" when you reopen the file that has the place SO in it. otherwise it will update when you save the linked file. Yes, there still is an advantage to having an embedded SO. You may not want to maintain the links - send a file off and forget to include the linked files. You may want to alter the SO, but not the original file.
Ah, thanks. But does this mean that raster and vector smart objects can EITHER be located within the Photoshop file (as they have been since their advent) OR linked to an external file?
And if so,
1. Can this linked file be either raster or vector?
2. Do edits to it automatically update the Photoshop file?
3. Is ther any longer any advantage to having the smart object data stored within the Photoshop file when it can be linked? -
Exchange Server Affected by SSL Certificate Organization Name Change
We recently underwent a name change of our company. We added a few new domain names for the new company to our Exchange Server 2007 and updated our address policy to include them and everything seemed to work okay for a while. We subsequently reissued
the SSL Certificate for our Exchange Server under the new organization name (per the CA's recommendation) . Shortly thereafter we experienced all sorts of issues necessitating a rebuild of our Exchange Server. Is there any dependency between
the organization name in an SSL certificate and the organization name that Exchange Server stores it's info under in Active Directory (which still had the old name) that would cause Exchange to go haywire?Hi,
Please confirm you were creating a new domain in your AD or creating an accepted domain in Exchange server.
If you directly create an accepted domain in Exchange, the new domain would be
considered authoritative when the Exchange organization hosts mailboxes for recipients in this SMTP domain. We don’t need to create a new Exchange certificate for this new accepted domain because the
SRV records can be used to connect to Autodiscover service. And the Exchange services URLs are not changed and they can still be authenticated by the original certificate (mail.domain.com, autodiscover.domain.com).
Certainly, we can reissue a new Exchange certificate, please make sure the new Exchange certificate has included all needed namespaces for your Exchange server such as:
Mail.domain.com, autodiscover.domain.com, autodiscover.newdomain.com
We can also run Get-ExchangeCertificate | fl to check it.
Regards,
Winnie Liang
TechNet Community Support -
How to validate SSL cert on ASA5510, before changing DNS?
I have recently installed an SSL certificate from a third party CA (GoDaddy) into an ASA5510 that I will be using as a VPN appliance for AnyConnect clients.
The ASA is going to replace our VPN server, which currently has the vpn.domain.com FDQN assigned to its IP address in public DNS.
Is there a way for me to properly valiadate that the SSL cert will work without any issues (i.e. no invalid error messages popping up on users' AnyConnect clients) from the Internet, before I cut over public DNS to point to the public facing interface on the ASA5510 which is where vpn.company.com will ultimately be pointing to?Put vpn.domain.com in your local PC hosts file with the new IP. Then try Anyconnect.
-
Exchange 2007 - Outlook Anywhere problems after installing new SSL cert
*** Original thread posted on wrong forum ***
Hi all,
Exchange 2007 environment (2x CAS, ISA2006). Not much familiar with Exchange.
Problem: 20-odd machines off the domain use Outlook Anywhere (XP with Outlook 2010). AUthentication pop-up and not able to connect.
Company has recently changed its name and we have to renewed the SSL cert. Previous SSL cert. was issued to: webmail.oldcompname.co.uk (several SANs on that cert., including internal server names).
Applied for a new UCC SSL cert issued to: newcompanyname.com (also includes webmail.newcompanyname.com ; autodiscover.newcompanyname.com + old SANs).
The setting on those machines point the proxy to the following:
Https://webmail.oldcompname.co.uk (which is fine since it is in the cert and can be accessed)
Only connect to proxy servers that have this principal name in their cert.:
msstd:webmail.oldcompname.co.uk (I believe this is the problem since the new UCC SSL cert. was issued to newcompanyname.com).
Browsing technet + internet it seems that I need to look into OutlookProvider EXPR.
When I run Get-OutlookProvider everything is blank (I believe I should be concerned to EXPR only for Outlook Anywhere).
I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com
My only concern is whether this might break something else in the Exchange environment, especially as we have 100+ users on smartphones connecting via SSL on webmail.oldcompname.co.uk
Is it save to run this command? Do I need to re-start IIS? Do I need to look into any settings on ISA2006?
Comments/help are much appreciated.
RegardsHi,
According to the description, I found that we re-new a SSL certificate.
"I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com"
Just do it. Then remove the old certificate on ISA server and install a new one.
Found a similar thread for your reference:
Renewal of SSL certificate in exchange 2007 with ISA 2006
http://social.technet.microsoft.com/Forums/exchange/en-US/25770038-8491-470a-92fa-8ae50674b7a6/renewal-of-ssl-certificate-in-exchange-2007-with-isa-2006
Hope it is helpful
Thanks
Mavis
Mavis Huang
TechNet Community Support -
Remote Desktop Services Single SSL Cert with multiple hosts
I am trying to use a single SSL Cert from a third party issuer. I have 3 servers in my deployement all are 2012R2. One contains the RD Web Access role, RD Gateway role, RD Licensing role, and RD Connection Broker role. The other 2 are
RD Session Hosts. I have the SSL cert for the server that has the Gateway and other roles. My deployement is primarily focused on deploying RemoteApp to Windows 8 Thin clients with GPO through the default URL. It works currently with the
exception that the user gets a certificate mismatch error because it is seeing the cert for the gateway server but is connecting to the host servers so the names don't match. Is anyone else using a similar setup and had success with it? I am trying
to avoid buying an expensive wildcard cert to cover all of them.Hi,
Please verify that the .rdp file embedded in the RDWeb IE page matches the same one from RADC. To do this, log on to RD Web Access using IE, right-click and choose View Source. Find the goRDP function for the icon you want to examine and copy
the text between the ' marks. Next paste this into the escape text box the below page:
http://www.web-code.org/coding-tools/javascript-escape-unescape-converter-tool.html
Click complete unescape to get the plain text version. After that you can select all of the text in the clear text box, paste it into a blank Notepad window, then save as a .rdp file. Once you have the .rdp file created you can compare
it to the other ones and see if any of the names are different, see if it gets the certificate error as well when you double-click it, etc.
Do you have any proxy or other non-default network configuration on your Windows 8 embedded clients?
Thanks.
-TP -
How to get OS X to accept an SSL Cert the way other UNIX clients do?
I'm hoping some of the network gurus can suggest a solution for me. My current config is 10.5.4 on PPC.
I have a host that I need to connect to using SSL but their certificate has a host name mismatch (they are a small org, and can't afford another SSL cert for the moment). I know the cert is valid, so I'm not worried about the security implications of using it.
On other *NIX clients, I simply have to add the cert into the root chain (e.g. /etc/ssl/certs/ca-certificates.crt), restart the application, and all apps will then accept it as valid.
On OS X, I've imported the cert into Keychain Access, marked it as "Always Trusted" and set up a policy to "alias" it to the URL I need to access with my application (not a web browser) (ref: KB article: HT1679) in both the login and the System keychains, yet the client application still errors out and refuses to connect to the URL.
How can I configure client SSL on OS X to work like other UNIX configurations? There doesn't seem to be a way to override the extremely restricted behavior.
I have MacPorts installed and am open to an application specific "hack" if necessary, ala "LDLIBRARYPATH", if anyone thinks that's feasible (which is what I am looking at now). Conceivably I could recompile the client application since it's OSS, though I'd rather avoid that if possible.
Any suggestions would be appreciated.
Thanks in advance--
=N=when you connect with a web browser to an https site that has a mistmatched cert it warns you and you have to tell the browser to ignore the security issue to let you carry on.
what unix apps are you using to connect to this server? -
SSL cert error on exchange 2013.
Hi,
Can I please have some help to avoid the following two error messages appears on opening outlook 2013 on windows 7 connected directly to the server 2012 domain.
Godaddy SSL cert is installed on mail.domain.com and firewall forwarding is properly setup.
There is NO error message if we connect through outlook (AnyWhere) on a system which is not part of the domain and connecting from outside.
Error Box 1
Security Alert
servername.localdomain.local
Information you exchange with this site cannot be viewed or changed...................
The security certificate is from a trusted certifying authority.
The security certificate date us valid
X The name on the security certificate is invalid or does not match the name of the site....
Error box 2
Microsoft Outlook
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site servername.localdomain.local
Outlook is unable to connect to the proxy server. (Error Code 10)
Any quick help will be highly appreciated!
Many thanksHi,
Are you using a Single domain cert by GoDaddy, if thats the case we cannot add more than one domain to your cert. I believe you have added the outlook anywhere domain name to your cert since your outlook anywhere connection is prompting any errors.
You have two options, one is purchase a UCC Cert and add all URL's required or Please have a look on these below Virtual Directories on the exchange server and modify the the URL's so you will not get the Cert errors.
use the shell to view the internal and external URL's,
Get-ActiveSyncVirtualDirectory | fl internalurl,externalurl
Get-AutoDiscoverVirtualDirectory | fl internalurl,externalurl
Get-ECPVirtualDirectory | fl internalurl,externalurl
Get-OabVirtualDirectory | fl internalurl,externalurl
Get-WebServicesVirtualDirectory | fl internalurl,externalurl
Change all your internal URL's similar to the external URL's, use the Set command as the example below.
Get-AutodiscoverVirtualDirectory -server EXCHANGE | Set-AutodiscoverVirtualDirectory -ExternalUrl ‘https://mail.domain.com/Autodiscover/Autodiscover.xml’
make sure all your servername.localdomain.local URL's are changed to match primary certificate name.
Regards
Boniface -
Why was my GoDaddy SSL Cert "Not from a Recognized Authority"
I've seen many reports here of people experiencing problems installing and renewing SS Certificates in OS X Server.
In my case a simple Certificate renewal turned into a Very Worrying Episode as the new certificate was "Not from a recognised authority" according to OS X Server 3.1.2 on Mavericks. Email clients could not log in etc. etc. without being told the server was insecure.
I tried several times to renew the certificate. Last year's was from GoDaddy and we had no problems. This year was not straightforward and has wasted 8 or so hours of my life.
This is of course only anecdotal, but it seems that OS X Server cannot properly install SSL Certificated generated from SHA-2 but can from SHA-1. SHA-2 is the default at GoDaddy now (SHA-1 can be chosen) as SHA-1 Certificates will no longer be created or accepted as standard in 18 months or so's time.
My solution was to generate an SHA-1 Certificate from my GoDaddy account.
All the necessary Root and Intermediate Certificated seemed to be in place but OS X Server could not correctly link up all the Certificates in the SHA-2 chain.@heinzfromconcord were you replacing a Cert with the same name by any chance? (i.e. Were you renewing an SHA-1 Cert with an SHA-2 Cert perhaps). I have absolutely no idea whether this matters or not but can only assume that not everyone is suffering this problem as there are so few forum posts about it. I am trying to gather diagnostic information tp pass on to the Apple Engineers who replied "cannot reproduce" to my bug report.
-
WLC Virtual Interface config for a public SSL cert for Web Authentication
I'm trying to get a cert loaded on my 5508 WLC running 7.6.130.0 so when a Web-Auth users tries to authenticate they don't get the SSL cert error.
In the document "Generate CSR for Third−Party Certificates and
Download Chained Certificates to the WLC"
Document ID: 109597 it states the following
"Note: It is important that you provide the correct Common Name. Ensure that the host name that is
used to create the certificate (Common Name) matches the Domain Name System (DNS) host name
entry for the virtual interface IP on the WLC and that the name exists in the DNS as well. Also, after
you make the change to the VIP interface, you must reboot the system in order for this change to take
effect.
Here are my questions.
1. I have always had 1.1.1.1 as the address of the Virtual interface, should that change or can I leave it as 1.1.1.1?
2. In the "DNS Host Name" Field do I simply put the domain or the FQDN? Example. Company.com or hostname.company.comHi,
1) You can change that if you want. Normally it is non-Public and non-routable in your network.
2) Put the Host name for which you are going to give in your company DNS server where that Host name would be mapped to the Virtual ip address.
Regards
Dhiresh
** Please rate helpful posts** -
We have a Certificate Authority (Version: 5.2.3790.3959) configured on Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
Currently i am only able to generate SSL cert with md5RSA.Hi,
Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
Therefore, you need to build a new CA to use a new algorithm.
More information for you:
Is it possible to change the hash algorithm when I renew the Root CA
http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
Changing public key algorithm of a CA certificate
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
modify CA configuration after Migration
http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
Best Regards,
Amy Wang -
2012R2 RDS SSL Cert mismatch Issue on alternate port
Hi,I am trying to setup RDS on 2012R2.I only have a single public IP and i already have 443 SSL sent to the Exchange server using a GoDaddy cert for that.Ive got another GoDaddy cert for RDS thats running on a stand alone server.I have changed the RD Gateway to use port 444 for https.Ive added a firewall rule to send 444 to my TS.I can hit https://url:444/rdweb fine - no certificate error, it picks up the correct cert.I can login fine.I try to run a remote app, provide domain creds and then it errors with:Your computer can’t connect to the remote computer because the Remote Desktop Gateway servers address requested and the certificate subject name do not match. Contact your network administrator for assistanceSo it appears at the point of launching the app that its reverting back to 443 and picking up my exchange SSL cert instead....
This topic first appeared in the Spiceworks CommunityHi,I am trying to setup RDS on 2012R2.I only have a single public IP and i already have 443 SSL sent to the Exchange server using a GoDaddy cert for that.Ive got another GoDaddy cert for RDS thats running on a stand alone server.I have changed the RD Gateway to use port 444 for https.Ive added a firewall rule to send 444 to my TS.I can hit https://url:444/rdweb fine - no certificate error, it picks up the correct cert.I can login fine.I try to run a remote app, provide domain creds and then it errors with:Your computer can’t connect to the remote computer because the Remote Desktop Gateway servers address requested and the certificate subject name do not match. Contact your network administrator for assistanceSo it appears at the point of launching the app that its reverting back to 443 and picking up my exchange SSL cert instead....
This topic first appeared in the Spiceworks Community -
GoDaddy SSL Cert Signed by Unknown Authority
At my school we have one Apple server which we recently upgraded to 10.5. We're using it to run a blog for teachers. We switched the site to use SSL and purchased a GoDaddy SSL cert (the wildcard type). The common name on the certificate I created in Server Admin is for *.e-lcds.org, this is the same common name I gave to GoDaddy in the CSR.
I received both the certificate and the intermediate certificate from GoDaddy and installed both. Server Admin now says that the site is signed correctly by GoDaddy. The intermediate certificate (looking at Keychain Access) is not signed correctly though according to the server. The error is "This certificate was signed by an unknown authority"
In the process of originally trying to figure out SSL certs I deleted all of the GoDaddy ones which I (thought) had added to start with a new one and have it re-keyed (which worked). I unfortunately may have deleted whatever certs need to be installed to verify the intermediate cert from GoDaddy. Is there a way to re-add these? Or is this another issue altogether?
Thanks in advance,
-MRCURI ended up wiping the server since we switched it's roles with a Linux box. I'm now using the GoDaddy SSL cert on the Linux box and the XServe.
Maybe you are looking for
-
How to get contents of a shuttle in event handler
Hi, I'm trying to get the contents of the two list of a <shuttle> element. The documentation of <shuttle> says, it can be accessed, after the form is committed, through "-shuttleName-:Leading:items". But when I try to get the contents in the event tr
-
ITunes Keeps Opening On Its Own
All of a sudden, iTunes on a 17" iMac flat keeps opening by itself. I quit it, then about five minutes later, it opens up but it doesn't seem to be doing anything. All podcasts have been cleared and there's no sharing. Any ideas?
-
Long paragraphs in incoming emails display as a single line, with the end of the paragraph running off the screen. I want to make it wrap automatically to fit the screen.
-
Macbook: is it right for me?
Hello and thank you all in advance. I need a new computer and want a Mac badly. I am starting college in fall at the University of Toledo. I have a few questions. 1) Does anyone know if the school is "mac compatible"? 2) I mostly will use it for scho
-
Hi Apple users, Could an one tell me which USB wireless internet Modems support MAC OS X leopard 10.5.6 macbooks? Could you also tell me which one is the best and efficient USB modem for the MAC books? You help is greatly appreciated. Thanks. Regards