The problems that come when renew SSL-certificates

SSL-certificate renewal is often a rather complicated process. In this article we will describe some of the problems that you may experience when you renew the SSL-certificate (with Godaddy).

To begin with I should say that I am not an expert. I’m just trying to repeat the instructions that are given to renew the SSL-certificates. I touch of articles on the certificate renewal, starting with IIS7 for Exchange and Outlook Web Access (OWA).

IIS7

Certificates Suppliers tend to warn you about the end of the validity of the certificate for about two months or more. However, even before the supplier send the first email with the notification of the expiration, my Win2k8 server warned me that one of my certificate is about to expire. Event ID 64 started appearing in more than 3 months before the certificate expires.

After receiving an e-mail, I went into account and follow the process described below. I removed some of the details, as, for example, credit card number, etc.

1. Click on the Products tab, select SSL Certificates, and then click Renew certificate in order to be updated.
2. Select the number of years for which you need to renew the certificate. Click Renew, and then Checkout.
3. Review the order details, then click the Continue to Checkout. Complete the payment process.
4. Follow the steps in the instructions Godaddy. When you click on the Request Certificate, you will see a screen where you will need to enter a new CSR.
5. Enter the CSR, we click Next, then Next again. You will see a screen with a confirmation that everything was fine.

Verification

After the completion of the purchase process, we received two emails with two different verification requirements:

1. For our external URL we passed Domain Zone Control validation process. We have updated the existing entry DZC, which remained from the previous certificate.
2. For our internal domains, we were asked to go to a link in an email, which I did, and then clicked on Approve. After a few minutes Pending Request was gone and verification completed.

Downloading and installing

After purchasing and verification we should to install the certificate. That’s what we did.

1. Click on the link in the email saying that a certificate has been updated. We went back to the list of certificates on the Godaddy website.
2. Select the new certificate, and then clicked on the Download. I chose to Exchange 2007 and then hit Download. I saved the downloaded zip-file on the server. It contained two files.

Now problems.

Problems with installation of SSL-certificate on Exchange

Problem 1. The instructions for SSL-certificates, for the most part worked, except that the binding to the old certificate is not automatically deleted.

Problem 2: After the transition to a new certificate, I could not connect internally to OWA. At some point, he gave me a warning that I did not understand; it turned out that the OWA site has been stopped in IIS at some point. After the restart OWA site I was able to login.

Then I checked the OWA outside the LAN. I check that the errors in the event log disappeared. They were not there. Errors can occur for the reason that the old certificate was still there, although it was not attached to anything.

Problem 3: I removed the old certificate, and I started getting Error 12014 and 12024 Warning on Exchange. These reports have shown me that the new certificate shall be applied to the Exchange and IIS 8. Article from Microsoft explained to me how to do it. I launched the Exchange Command Shell as the administrator, use the command «Get-ExchangeCertificate | FL * », which showed me that a new certificate has been included only for the IIS, but not for SMTP. After running the command «Enable-ExchangeCertificate -Thumbprint <my certificate thumbprint> -Services SMTP» error disappeared.

In general, purchase and installation process for Exchange SSL-certificate went smoothly, though not without some pitfalls.