SSL certificate renewal

Similar Messages

• SSL certificates renewal

  Hello,
  We have two loadbalanced messaging servers and SSL enabled for POP3/IMAP and SMTP. Our certificates are about to expire and need a renewal. I havent found a renewal procedure in the official sun documentation for this particular case. As far as I have learned, the CSR needs to be generated again (from one of the two physical servers) for both the popimap and Server-Cert certificates. Only two certificates are needed (popimap and Server-Cert) and not a certificate per physical server. The new certificates should be imported to one of the servers and the certificate database copied to the other one (with -A option to the certutil command). Could you please confirm this? Please advise.
  Thank you and
  BR,
  Senka

  senka wrote:
  We have two loadbalanced messaging servers and SSL enabled for POP3/IMAP and SMTP.What version of Messaging Server are you running (./imsimta version)?
  Our certificates are about to expire and need a renewal. I havent found a renewal procedure in the official sun documentation for this particular case.
  As far as I have learned, the CSR needs to be generated again (from one of the two physical servers) for both the popimap and Server-Cert certificates.Why are you using two certificates?
  Only two certificates are needed (popimap and Server-Cert) and not a certificate per physical server.A certificate is needed for each "host" that the client will see. So if the client connects to "mail.mydomain.com" which translates the load-balanced front-end IP address, then you will need a certificate for "mail.mydomain.com".
  The new certificates should be imported to one of the servers and the certificate database copied to the other one.I suggest you use the same process to keep the certificate database files in sync that you used to install the certificates in the first place.
  Regards,
  Shane.

• Exchange 2007 Webmail certificate Renewal

  Hi,
  If any one knows more details about how to renew the webmail certificate in Exchange 2007, Webmail certificate is ging to expire soon ...EventID 12018

  You can use powershell cmdlet Import-ExchangeCertificate to renew the certificate.
  To enable the certificate, execute Enable-ExchangeCertificate -Services IMAP,POP,IIS,SMTP -Thumbprint <cert-thumbprint-here>
  For more info, visit
  https://www.digicert.com/ssl-certificate-renewal-exchange-2007.htm

• Exchange 2010: How to renew an SSL certificate?

  Hi all.  I have done some reading but it seems I can't find just a simple step-by-step on how to renew an SSL certificate issued by a 3rd party CA for Exchange 2010.  I really don't want to mess this one up by cobbling together partial answers
  from various forums and end up omitting something, then being stuck unable to figure out why I broke email while the CEO flips out. 
  This is a standard GoDaddy 5-domain UCC certificate.  There is only one Exchange server, SP3 (I don't think I have Rollup 6 on yet).  The existing certificate expires in a month or so. 
  I have some specific questions but perhaps these would be answered via what I hope will be a step by step instruction set in your reply :) Sorry to appear lazy by asking for the full instructions just that so far no single forum post nor MS TechNet article
  has addressed all my concerns, or in some cases information conflicts.  So my concerns for example are:  can you do a renewal for a certificate before the old one expires?  It is actually a renewal, or are you adding a 2nd certificate? 
  Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  Thank you. 

  -->Can you do a renewal for a certificate before the old one expires? 
  Yes. Normally 3rd party CA allows you to renew certificate before the current one expires.
  -->It is actually a renewal, or are you adding a 2nd certificate? 
  You have to renew the certificate and a new/second certificate will be added to your server certificate store. Please check below for detailed step of Godaddy renewal. http://stevehardie.com/2013/10/how-to-renew-a-godaddy-exchange-2010-ssl-certificate/
  -->Do you have to do anything in IIS or does EMC or EMS do all that for you? 
  You will have to do it from MMC or EMS. No need to do anything from IIS.
  Follow the steps below to make your work easy or follow the video in this site site.http://www.netometer.com/video/tutorials/Exchange-2010-how-to-renew-SSL-certificate/
  1. Run this command from EMS to generate CSR. You can see the CSR named "newcsr.txt" in C:\CSR
  folder
  Set-Content -path "C:\CSR\newcsr.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=WA, l=Bellavue, o=Contoso, cn=commonname.domain.com" -DomainName autodiscover.domain.com -PrivateKeyExportable $True)
  2. Renew the certificate from Godaddy (from Godaddy portal) using the new CSR (i.e. newcsr.txt). Download the certificate from Godaddy after renewal.
  3. Open Exchange MMC. Go to Server configuration. Right click on the pending request.  Click on complete pending request and browse to the newly downloaded certificate. Make sure you have internet when doing this.
  4. Assign services using the steps in the below site. Make sure you have selected the new certificate. You will see the thumbprint just before completion http://exchangeserverpro.com/how-to-assign-an-ssl-certificate-to-exchange-server-2010-services/
  5.Delete the old one certificate from MMC.
  From EMS use this command 
  Remove-ExchangeCertificate -Thumbprint <old cert thumprint>
  You can see the the certificate thumprints using Get-ExchangeCertificate command
  MAS. Please dont forget to mark as answer if it helped.

• [solved] dovecot errors after renewing SSL certificate

  System:
  OS X Server (Mountain Lion) 2.2
  Using a single SSL Certificate for all services.
  Symptom:
  Users can't log into their IMAP accounts hosted on OS X Server (Mountain Lion) after renewing SSL Certificate
  Diagnostics:
  Give you an indication whether it's this problem. Some or all may apply:
  Log shows all kinds of dovecot errors. e.g.
  dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
  config: Fatal: Error in configuration file /Library/Server/Mail/Config/dovecot/dovecot.conf: ssl enabled, but ssl_cert not set
  dovecotd[nnn]: master: Error: service(config): command startup failed, throttling
  /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf shows commented out lines:
  ssl_cert
  ssl_key
  ssl_ca
  Solution:
  Go to the Certificates pane of the Server App  and choose Secure Services Using: Custom
  Set IMAP and POP server certificates to to None
  Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf
  Now set Secure Services Using: <My single SSL Certificate for all services>
  Keep an eye on what the server App is doing to /Library/Server/Mail/Config/dovecot/conf.d/10-ssl.conf and you should now see all the ssl* settings as you would expect, and pointing to the correct SSL certificate  in /etc/certificates
  Hope this works for you too!

  I had something similar happen. When I do anything with SSL certificates it deletes any regular websites. Only the sites that are setup for https are listed.
  Couldn't understand why my website wasn't working and it turned out that the system had deleted it. The web server had multiple host set and I had to rebuild all the ones that had used port 80. All the ones that use 443 were fine.
  Hope this helps.

• Renew SSL Certificate for for two Exchange 2010 Server and the new rules.

  I find DigitCert's website always helpful with cert questions.They've got a pretty helpful page here: https://www.digicert.com/internal-names.htmIt looks like they've got a tool for Exchange, but I've not used it myself, so can't say if it works or how well: https://www.digicert.com/internal-domain-name-tool.htmI bet Microsoft have something on their website too that helps with this sort of question.I'd say you register a completely new domain and use that for public facing and internal servers. Or you could just create a sub domain of an existing one, i.e. subdomain.mydomain.com and use that, i.e. public_exchange.subdomain.mydomain.com and internal_exchange.subdomain.mydomain.com.

  Hi there , 
  My exchange 2010 Server Certificate is about to expire and i am going to renew it but according to the new rules for SSL Certificate Issuing we can not include our Local Servers Names and Local FQDN such as myserver.contoso.local, my issue is that i have 2 exchange servers one is internet-facing Server (where the certificate is initiated and installed) and one is non-internet-facing Exchange server.
  if i am going to renew my certificate with public only name, I have to create a split Domain that reflects my external links to the internal Users, what shall i do for the non-internet-facing server? do i need to create another record in my split DNS Server and add it to my Certificate Request ? 
  This topic first appeared in the Spiceworks Community

• Renewing SSL certificate

  I have to renew the SSL cert (ASA) for my portal website (expires in 30 days) users use the Anyconnect client to connect. Is there any way to put it inline with the cert that hasn't expired yet, so the users don't receive a message about accepting a new certificate. I have about 1500 users that are generally not tech savvy so I would imagine lots of calls to the helpdesk if they get a pop up. Thanks in advance!

  This document is intended to provide the general steps required to renew an SSL certificate and install it on an ASA. This procedure does not impact your network as long as the current certificate is not deleted.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809fcf91.shtml

• How do I renew the "Fallback SSL Certificate"?

  Last week my server started emailing me about certificates that were due to expire. So I went to Server App, Certificates, and hit show all. There was only one certificate. Double-click, hit the Renew button, done. Easy!
  Trouble is, I have another certificate, called "Fallback SSL Certificate", which somehow doesn't snow up in Server App, and it's expiring too. I can view it in Keychain Access, but there's no renew button there. So can someone tell me how to renew this certificate?
  Thanks!

  Any idea how to fix the certificates if this doesn't fix it?
  I renewed all my certificates in server app and the reminder emails to renew them have continued except now the names have changed and none of the new names (or the fallback certificate for that matter) appear in server app's list

• Renew Verisign ssl certificate for webaccess

  Hi, We have just had our current Verisign ssl certificate expire.
  We are running Groupwise 7.03 - on our cluster agents and postoffices & gwia.
  The webaccess application is running on a Netware 6.5 sp5 - which is running Apache ver 2.0.54 & Tomcat 4 and also has tomcat5 in the DMZ.
  I have come across a number of support Tids about renewing ssl into edir, but i am looking for some steps to run through regarding WEBACCESS.
  My web app team have just bought a new verisign ssl certicate.
  What do i do from here to renew the webaccess application with the new Verisign ssl certificate.
  Anything that can help with this regarding webaccess and verisign ssl renew certifcaite instruction steps would be helpful.
  regards
  Dennis

  Dennis,
  > My web app team have just bought a new verisign ssl certicate.
  > What do i do from here to renew the webaccess application with the new
  > Verisign ssl certificate.
  >
  > Anything that can help with this regarding webaccess and verisign ssl
  > renew certifcaite instruction steps would be helpful.
  If you still need to do this, drop me an email at hamish at haitch dot
  net and I'll send you a doc I did documenting the process.
  H.
  Hamish
  Run multi-processor NetWare VM's with vmBoost
  http://www.haitch.net

• ACS Not installing renewed SSL Certificate for PEAP/EAP-TLS?

  We recently renewed our SSL certificate through RapidSSL. While attempting to install the new certificate into ACS, I was given the prompt to showing the updated dates, confirmed and installed the new certificate, deleting the old. I restarted ACS, as required, but when trying to enable PEAP or EAP-TLS, I am getting the error "Failed to initialize PEAP or EAP-TLS authentication protocol because ACS certificate is not installed."
  The worst part, is that I when I tried to reinstall the old certificate, I am now getting the same problem.
  Any suggestions?

  Matt,
  How did you perform the CSR.... did you use ACS or OpenSSL? Also, did you verify that the certificate is in the trusted personal folder on the server?
  Scott

• File Adapter FTP SSL SSL Certificate Exception

  After reviewing the results of searching on this error, I do not find anything that fits my situation:
  SAP File Adapter (PI 7.1) using FTP with FTPS connection security.
  I am not using X.509 certificate for client authentication.
  My connection is using a non-public certificate.
  I have added the SSL certificate to TrustedCAs and DEFAULT keystores.
  I am getting the following error:
  Message processing failed. Cause: com.sap.engine.interfaces.messaging.api.exception.MessagingException: Error when getting an FTP connection from connection pool: com.sap.aii.af.lib.util.concurrent.ResourcePoolException: Unable to create new pooled resource: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  Since I am using an non-public certificate, it will not validate. Even adding to the TrustedCAs and DEFAULT keystore it seems the configuration is still attempting to validate the certificate.
  Any recommendations?

  Hi,
  The main reasons for this error are:
  1. The correct server certificate could not be present in the TrustedCA
  keystore view of NWA. Please ensure you have done all the steps
  described in these two URLs:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi71/helpdata/EN/ea/c91141e109ef6fe1000000
  0a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for
  it (that was the cause for other customers as well) and if it's the case
  renew it or extend the validation.
  3. Some other people have reported similar problem and mainly the
  problem was that the certificate chain was not in correct
  order. Basically the server certificate chain should be in order
  Own->Intermedite->Root. To explain in detail, if your server certificate
  is A which is issued by an intermediate CA B and then B's certificate is
  issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to
  have the right order of certificate in the chain. If the order is B
  first followed by A followed by C, then the IAIK library used by PI
  cannot verify the server as trusted. Please generate the certificate in
  the right order and then import this certificate in the TrustedCA
  keystore view and try again. Please take this third steps as the
  principal one.
  Hope it solves your querie.
  Regards,
  Caio Cagnani

• Portal certificate renew

  Hi All,
  Need your help urgently.. i need to how to renew the system pse certificate... can we generate a new certificate in portal itself??

  Hi,
  first of all: what certificate are you talking about? From the replys you got you could see that we went in different directions. Are you talking about the SSL certificate (used for a secure connection to the portal) or the verify.der (used for SSO to backend systems).
  You won't get a warning message for either. In the SSL case you will simply get a security pop-up when accessing the portal saying that the certificate is no longer valid.
  In the SSO case SSO will simply stop working.
  I hope with the replys mentioned above you are able to create new certificates. If not, please come back and explain your situation in more detail.
  Regards,
  Holger.

• Automatic Smart Card Certificate Renewal

  We have a problem where our Smart Card certificates are starting to expire but the automatic renewal process is failing.
  Is it actually possible to auto renew Smart Card certs without requiring any user input (other than the PIN)?
  There are two errors in the event log -
  Event ID:      16
  Description:
  Certificate enrollment for <domain>\<username> failed to renew a SmartcardLogon certificate with request ID N/A from <ca server name> (Provider could not perform the action since the context was acquired as silent. 0x80090022 (-2146893790)).
  Event ID:      6
  Automatic certificate enrollment for <domain>\<username> failed (0x80090022) Provider could not perform the action since the context was acquired as silent.
  The certificate template is configured with all the correct permissions (Read,Enroll,AutoEnroll) and group policy is configured with the auto enrolment settings. 
  Thanks in advance.

  This may be caused by a incorrect certificate template configuration. In the Request Handling tab (IIRC), there are several radio buttons where you specify whether enrollment may ask for user input during enrollment or not. You need to allow user input
  during enrollment for smart card templates.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• WILL MAC OS 10.4 server SUPPORT SHA-2 SSL CERTIFICATES

  Am running Mac OS Server 10.4.11 on a PowerPC Mac Mini (1.42GHz) and currently have SHA-1 SSL certificate from GoDaddy.
  They want everyone to upgrade to a SHA-2 (SHA256) SSL certificate for Google's Chrome browser which will soon start showing SSL errors for SHA-1 certificates.
  Is Mac OS Server 10.4.11 capable of serving up a SHA-2 SSL certificate?  (I originally renewed last Feb. to a SHA-2 certificate, but many browsers didn't recognize it, so I re-keyed to a SHA-1 certificate that is good to 12/31/15.

  Hi, I do not know, but I doubt it.
  Here's the 10.4 Server forum if you want to ask over there...
  Mac OS X Server v10.4 and earlier

• How do i "re-trust" the SSL certificate sent from a server I previously marked as untrusted?

  I use Citrix Receiver to access my workplace Windows environment remotely from home, where I run Firefox 7.01 on Ubuntu 11.10. Two days ago the SSL certificate expired, so when I tried to logon remotely it failed. Now the company have renewed the certificate, but now when I try to logon I get an error from the Citrix ICA Client saying "You have not chosen to trust Verisign Class 3 Public Primary Certification Authority - G5, the issuer of the server's security certificate (SSL error 61)"
  I have found a couple of similar queries here, but neither had a solution which worked for me. The entry for Verisign Clas 3... G5 is in /etc/ca-certificates.conf, also there's a link to it in /etc/ssl/certs to an existing ...G5.crt file in /usr/share/ca-certificates - Firefox seems to recognise the issuer as a valid existing certificate issuer. Firefox displays the certificate for the page when I use menu options Tools -> Page Info -> Security -> View Certificate, and the certificate shows as valid for today - for the life of me I can't find a way to make Firefox trust the darn issuer.
  I get the same fault with Firefox 3.6.23 on Ubuntu 10.04.
  (I'd rather not tell everyone here the URL of my company's remote access website)

  Thanks for the swift reply, cor-el - unfortunately, no joy with this approach.
  A. As my named user (called "greg", surprise, surprise, no secret there...)
  Run Firefox; select Edit > Preferences > Advanced : Encryption:
  Here I get no option for Certificates, but I do get View Certificates - then tabs for:
  - Servers, under which my company's remote logon URL is listed - Edit button is grey
  - Authorities, under which the Verisign...G5 entry may be edited; 3 options:
  1. may identify websites (ticked)
  2. may identify mail users (unticked)
  3. may identify software makers (ticked)
  I ticked 2, tried again - same failure. Unticked it.
  B. As root.
  Run Firefox; select Edit > Preferences > Advanced : Encryption:
  Here I get no option for Certificates, but I do get View Certificates - then tabs for:
  - Servers, under which my company's remote logon URL is NOT listed
  - Authorities, under which the Verisign...G5 entry may be edited; 3 options:
  1. may identify websites (ticked)
  2. may identify mail users (unticked)
  3. may identify software makers (unticked)
  I ticked 2 and 3, tried again - same failure. Unticked them.
  Maybe a solution would be, in some way, to add my company's remote logon URL to the list of Servers while running Firefox as root. The Export and Import buttons may help here. However, when I first declined their certificate I was running Firefox as greg, not as root, so I am a bit suspicious there - what can be done as greg should be undoable as greg.
  This is doing my head in. Maybe it's time to step back and think a bit. Maybe try Citrix's online help (already spent a fair amount of time there with no joy either).
  So, thanks again for the reply - I've generally tried to provide a good list of what's up, and your reply has given me food for thought. OK, I'll keep trying.