Exchange Server – How to use existing certificate without CSR

exchange-2010ssl-certificate

I have some SSL certificates problem.

We have an Exchange 2010 server hosting mailboxes for mydomain.com, otherdomain.com and thirddomain.com. It's internal name is myserver.mydomain.local.

When setup, it came with its self-signed certificate on the name "myserver".

We already have an SSL certificate for mail.mydomain.com (containing the SAN mydomain.com), and want to use it so everyone will connect to OWA / Activesync / Outlook Anywhere etc. using the url : mail.mydomain.com.

The only resources I find searching the web are telling me to create a certificate request using the Exchange MMC, then forward it to the CA to issue a new certificate then complete the request on the Exchange server.

But how can I re-use our existing certificate ? It is fine, it has already the good server names in it, we don't want to re-pay for a new certificate ! (also we should pay for revoking the old one before a new one could be issued).

Best Answer

Just install the certificate (with private key) on the Exchange Server in the Computer's Personal Store. Then you can select it in Exchange

Related Solutions

Exchange 2010 SSL certificate requirements for multiple domains

Apart from the required internal FQDN's and server names, you only need the domains on your certificate that you need to securely access your server on (OWA or ActiveSync for example). Your Exchange server can accept mail for any number of other domains, but if you only access OWA on mail.acme-widgets.com then that is the only external DNS name that needs to be on the certificate.

As an example, our Exchange server accepts mail for about 30 domains, but we only have the following things on our certificate (pardon the whole Acme Widgets thing, but you get the idea).

svr03                               (Internal server name)
mail.acme-widgets.com               (OWA domain)
autodiscover.corp.acme-widgets.com  (AutoDiscover internal FQDN)
autodiscover.acme-widgets.com       (AutoDiscover external FQDN)
legacy.acme-widgets.com             (Legacy domain)
svr03.corp.acme-widgets.com         (Internal FQDN)

If I recall correctly, when I was going through the Exchange certificate wizard it did include all of our auxiliary domains, but I chose to remove them. It shouldn't hurt to leave them on, and if the certificate wizard includes them by default, it's certainly not wrong to leave them.

How to use a Multi-SAN certificate on both Lync and Exchange servers

There is no problem at all in using the same certificate in two different applications, if everything else is ok. The certificate in itself is not the problem, the problem lies in some misconfiguration on the Lync side.

You should check all URLs Lync uses (they are a lot...), and verify that your certificate actually contains all the names being used. Also, you should check everything else... DNS, firewalls, FQDNs, updates, event logs... there are literally tons of things that can go wrong when setting up Lync, and can have side effects ranging from "quite understandable" to "totally crazy".

Best Answer

Related Solutions

Exchange 2010 SSL certificate requirements for multiple domains

How to use a Multi-SAN certificate on both Lync and Exchange servers

Related Topic