No announcement yet.

Need to change Digital Certificate

  • Filter
  • Time
  • Show
Clear All
new posts

  • Need to change Digital Certificate

    We were using a certificate that was self signed/generated for encrypting messages. We now want to install a certificate from a 3rd party. I am not sure on the steps to remove the exisitng certificate and begin using the new one.
    Also any insight on what the effect of the change might be.

    Thanks in advance,

  • #2
    Re: Need to change Digital Certificate

    How much of an effect the change will have depends on whether the NAME on the certificate is the same and what you are using it for.

    For example, if your home grown certificate is and that is the same name then impact is relatively low. However if the certificate is mail.domain.local and you want to switch to then there will be a bigger impact - but that depends on what it is being used for.

    If the certificate is being used for OWA only - ie the users are entering the URL manually each time, then just tell them the new URL.
    If the certificate is being used on anything where the users have set it and then forgotten it - such as RPC over HTTPS, Windows Mobile ActiveSync, then you will need to find a way to communicate the name change.

    If you are using the name/certificate in anything internally, for example WSUS settings, then change the group policy to use the new name.

    Also ensure that the name resolves internally.

    As for the certificate change itself, you have two methods.

    1. Use the current web site. Major downside is the time between removing the old certificate to create a new one and the point the new certificate turns up and is installed.
    2. Create a temporary web site somewhere - even on Windows XP will do, creating the certificate request there. Process the response there and then export the certificate and copy it across to the live machine. Downtime is minimal - a few minutes while you switch the certificates over.

    Of the two, I usually do the second one for the change from self generated to commercial. Once you have a commercial certificate in place it is not a problem unless you are changing provider as you can process a renewal which leaves the current certificate in place.

    Whichever method you decide to use, the process is the same.

    1. Open IIS Manager and then your web site.
    2. Right click on the Web Site and choose Properties. Remember certificates apply to sites, not directories.
    3. Click on the tab "Directory Security"
    4. Click on the button "Server Certificate" to start the wizard.

    Now step through the wizard. If you are using the live site you will have to remove the certificate and then start the wizard again to generate a new request.
    If you are using a new site that doesn't have SSL on it, then simply choose New Request. Step through he wizard, choosing to Generate Request but send later when prompted.

    After you have generated the request, you will have a file. It is VERY IMPORTANT that you DO NOT run the wizard again until you have received the result from the your certificate supplier. When you do, run the wizard to process the request. DO NOT DELETE THE REQUEST - as the result from the supplier will become invalid.

    Once you have processed the request, you can then export the certificate by running the wizard again. I always export the certificate after the process has completed and then put it somewhere to be picked up by the backups. Test the export by importing it in to another server somewhere.

    It isn't a difficult process, as long as you do everything in the right order.

    Simon Butler
    Exchange MVP

    More Exchange Content:
    Exchange Resources List:
    In the UK? Hire me:

    Sembee is a registered trademark, used here with permission.