Announcement

Collapse
No announcement yet.

SSL renewal woes - changing provider

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SSL renewal woes - changing provider

    Just thought I would post this as (a) a warning and (b) a hope someone else has seen and resolved the same issue.

    My Exchange SSL cert (SAN cert) is within days of expiry. I use it for autodiscover and OWA only, not TLS.

    I have been a GoDaddy customer for many years and my habit has been to create a new certificate request rather than renewing the existing cert. This has always worked without problems.
    Because GoDaddys prices have gone up by something like 60% recently, I decided to move to CertificatesForExchange.com (I believe they may be a related company, but are about 1/2 the price) so bought a 3 year Cert, created a new CSR in Exchange (omitting the internal names) and pasted it into the page, only to get the message
    "Common name is already present in a current certificate"

    I presume this means they have checked and as there is an existing GoDaddy certificate, they are not issuing a new one?

    I have emailed their support and will see what comes up, but my thought is that I need to revoke the original certificate before requesting the new one (and will therefore lose ActiveSync connectivity as well as all sorts of problems with OWA, causing all sorts of grief with users).

    Has anyone (Sembee ) met this before and resolved it in any less disruptive way?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

  • #2
    Re: SSL renewal woes - changing provider

    Yes, the two sites are linked, certificatesforexchange.com is a reseller for GoDaddy, so uses the same backend. As such it is finding a certificate is already in place. This is common with other providers - unless you do a renewal they will not allow you to have another certificate.

    If you revoke the existing certificate then you have a 24 hour window before the certificate becomes dead.

    What I have done in the past is use a single name SSL certificate from StartSSL - which is free, to cover a window while you change everything around. Not a great solution, but if you are changing provider (but not issuer) probably the only solution that will work.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: SSL renewal woes - changing provider

      Oops - that is wrong.
      Revoke is immediate, I was thinking of rekey, which allows the old certificate to work for 24 hours.

      Simon.
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        Re: SSL renewal woes - changing provider

        Cheers, Simon - I will be revoking it once we are out of UK hours and hoping the new cert gets issued quickly enough that most users won't be inconvenienced
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: SSL renewal woes - changing provider

          Well, just to put this one to bed, it all went extremely smoothly:

          Had the CSR ready
          Revoked old cert on GoDaddy (used "Information Changed" as the reason)
          Refreshed to check cert had gone
          Pasted CSR into CertificatesForExchange.com
          Got domain validation request within 5 minutes and approved
          Downloaded certificate and installed
          Tested with TestExchangeConnectivity.com - warning about certificate chain of trust, but all OK

          Total time about 15 minutes, and no-one noticed anything unusual!
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment

          Working...
          X