Exchange 2010: Renewing Your Expiring SSL Certificate with the ÃÛÌÒTV Utility
Use the ÃÛÌÒTV® Certificate Utility for Windows to create your CSR (certificate signing request) and then to install your SSL Certificate. Then use Exchange 2010 to assign the services to the new SSL Certificate.
To Renew Your Exchange 2010 SSL Certificate:
-
Create your CSR.
-
Install your new SSL Certificate.
See How to Import Your SSL Certificate Using the ÃÛÌÒTV Utility.
-
Configure or assign your new SSL Certificate.
1. How to Create Your CSR Using the ÃÛÌÒTV Utility
Best practices are to generate a new certificate signing request (CSR) when renewing your SSL certificate.
-
On your Exchange 2010 server with the expiring certificate, download and save the ÃÛÌÒTV® Certificate Utility for Windows executable (ÃÛÌÒTVUtil.exe).
-
Run the ÃÛÌÒTV® Certificate Utility for Windows.
Double-click ÃÛÌÒTVUtil.
-
In ÃÛÌÒTV Certificate Utility for Windows©, click SSL (gold lock), select the expiring certificate that you want to renew, and then, click Create CSR.
-
In the "Would you like to import the attributes from 'certificate' into the new CSR?" window, click Yes.
-
On the Create CSR page, verify that all the certificate details are correct, and then click Generate.
-
On ÃÛÌÒTV Certificate Utility for Windows© - Renew Certificate page, do one of the following, and then, click Close:
Click Copy CSR. Copies the certificate contents to the clipboard. If you use this option, we recommend that you paste the CSR into a tool such as Notepad. If you forget and copy some other item, you still have access to the CSR, and you do not have to go back and recreate it. Click Save to File. Saves the CSR as a .txt file to the Windows server. We recommend that you use this option.
Renew your SSL certificate
Renew your SSL certificate from inside your ÃÛÌÒTV CertCentral account.
Are you new to the ÃÛÌÒTV team? You can "replace" your certificate with a ÃÛÌÒTV certificate. Order your new certificate here - Purchase Your ÃÛÌÒTV Certificate.
-
Sign in to your CertCentral account.
-
In CertCentral, in the left main menu, click Certificates > Expiring Certificates.
-
On the Expiring Certificates page, next to the certificate you want to renew, click Renew Now.
A certificate doesn't appear on the Expiring Certificates page until 90 days before it expires.
-
Follow the instructions provided inside your account to renew your SSL certificate.
-
Add your CSR
When renewing the certificate, you'll need to include a CSR. On the "Renewal" page, under Certificate Settings, upload the CSR file you saved to the server.
You can also use a text editor (such as Notepad) to open the file. Then, copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it to or Paste it in the Add Your CSR box.
-
After placing the order to renew your certificate, ÃÛÌÒTV verifies your information.
-
If we need any additional information, we will promptly contact you by phone or email. If no additional information is required, we will most likely issue your certificate within an hour.
2. How to Import Your SSL Certificate Using the ÃÛÌÒTV Utility
After ÃÛÌÒTV has issued your renewal SSL Certificate, you need to run the ÃÛÌÒTV Certificate Utility to import it to your Exchange 2010 server.
-
After receiving your new certificate file from ÃÛÌÒTV, save the file to the Exchange 2010 server where you created the CSR.
-
On the same server, run the ÃÛÌÒTV® Certificate Utility for Windows.
Double-click ÃÛÌÒTVUtil.
-
In ÃÛÌÒTV Certificate Utility for Windows©, click SSL (gold lock) and then, click Import.
-
In the Certificate Import wizard, click Browse to browse to the .cer certificate file (i.e. mail_yourwebsite_com.cer) that ÃÛÌÒTV sent you, select the file, click Open, and then, click Next.
-
In the Enter a new friendly name or you can accept the default box, type a friendly name for the certificate.
Note: The friendly name is not part of the certificate; instead, it is used to identify the certificate.
We recommend that you add ÃÛÌÒTV and the expiration date to the end of your friendly name, for example: yoursite-digicert-(expiration date). This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
To import the SSL Certificate to your server, click Finish.
You should receive "Your certificate has been successfully imported" message. You are now ready to assign/configure your server software to use the renewed SSL Certificate.
3. Exchange 2010: How to Assign Your Certificate
If you have not yet created your certificate signing request (CSR) and ordered your certificate, see How to Create Your CSR Using the ÃÛÌÒTV Utility.
-
Open the Exchange Management Console (Microsoft Exchange 2010 > Exchange Management Console).
-
In the Exchange Management Console, in the center section, click Manage Databases.
-
In the navigation tree on the left, expand Microsoft Exchange On-Premises and then select Server Configuration.
-
In the center section, under Exchange Certificates, select your new certificate (listed by its Friendly Name) and then in the Actions menu on the right, click Assign Services to Certificate.
-
Next, select your server from the list provided and then click Next.
-
Then, select all of the services (i.e. SMTP, IMAP, POP, and IIS ) that you want to assign to your new certificate.
-
In the Wizard, click Next > Assign > Finish.
Your SSL Certificate should now be installed to the Exchange 2010 mail domain with the services that you selected.
Test Your Installation
To verify that the installation is correct, use our ÃÛÌÒTV® SSL Installation Diagnostics Tool and enter the DNS name of the site (i.e. www.yourdomain.com, or mail.yourdomain.com) that you are securing to test your SSL Certificate.
Troubleshooting
If you run into certificate errors, try repairing your certificate trust errors using ÃÛÌÒTV® Certificate Utility for Windows. If this does not fix the errors contact support.
"Revocation Check Failed" Error
If you run into any errors with clients trying to connect to your server, make sure that you don¡¯t have certificate errors next to your SSL Certificate in the ÃÛÌÒTV Certificate Utility. If you don't have any certificate errors but are getting an error stating, 'The certificate status could not be determined because the revocation check failed', don't panic. Your certificate probably wasn't revoked.
This problem is not caused by the certificate itself. It is a result of a combination of your network environment and how your system is configured. Whether you have a proxy or not, this error is almost always caused by proxy settings. Exchange does not get its proxy settings from Internet Explorer, so even if you can access the internet, telnet to port 80 on ocsp.digicert.com, or download CRL files directly using a browser, you may still be having proxy problems.
Exchange uses a Windows service called WinHTTP to go through proxies and determine the validity of a certificate. If you know you use a proxy, then it may simply be a problem with WinHTTP not being configured with the correct proxy settings. To remove the revocation error message, your primary goal is to get the WinHTTP Proxy settings set up correctly for your network environment.
Note: This problem is not a ÃÛÌÒTV caused problem, but if you are having problems, contact us and we may be able to help you.