1) renew the certificate as it was (and push it to all users)
2) buy a SSL certificate for this server only
3) buy a wildcard-certificate (*.domain.com) for all servers
* We (temporarely) chose to buy one SSL certificate for this mailserver and discuss the wilcard certificate issue later because this adds a certain amount of resources to our annual budget 🙂 Be aware that the prices for certificates can change a lot according to the supplier (1SSL/1year: Verisign is € 300, GlobalSign is € 190 )
*And then I had some issues;
ISSUE 1: Unified Messaging stopt working.
After research it seemed the server remembered the old vertificate and was still using it double for some instances. How to troubleshoot:
go to Exchange Management Shell (from now on we call this EMS)
here you see all the certificates known by this server. (see HERE)
“Enable-ExchangeCertificate –Thumbprint -Services imap,pop,um,iis,smtp”
“Remove-ExchangeCertificate –Thumbprint “ for all remaining certificates.
ISSUE 2: Autodiscover.domain.com is not covered by the third party SSL
This is something you can not completely solve without some workaround.
The first thing is you want this to work for you internal users. First you need to undertand what autodiscover.domain.com does; it is a tool that enables you the possibility to get exchange settings to a client whitout having to put them manually (such as rpc over https). To get this done Outlook conenction has hardcoded inside it the url autodiscover.domain.com wich is an alias url inside the exchange server. This alias is stored in de domain controller.
So … what we can do is change the URL in de domain controller.
go to EMS:
“Set-AutodiscoveryVirtualDirectory –Identity XMAIL –DomainController –ExternalUrl https://SERVER.domain.com–InternalUrl https://SERVER.domain.com”
You can check this URL on your Domain Controller with ADSIedit.msc; go to path and select properties and look fot the servicebindinginformation
What we can’t do is change that request at the clients side. You will always ge the SSL warning that the autodiscover.domain.com is not covered by the certificate. Click OK and work on. If you really want this issue to dissapear, you can create a second IIS server for autodiscover with its own certificate.
ISSUE 3: there remain some things that dit not work such as the Out-Of-Office assistant.
For some reason the security settings of IIS wore not correct.
Solution: go to IIS and richt-click on the default website. Select properties en go to the security tab. In the Certificate arrea select edit and disable the “require SSL” and that the client certificates are “ignored“. When you apply, do this for all child sites (OAB, Autodiscover, …)
ISSUE 4: Client authentication only accepts “basic”
Some of our users (for example domain-admins) don’t want to use basic authentication but NTLM. This is very easy to change but you just need to know the trick. It’s very important here that you don’t change this in IIS because it will be overruled by Exchange server.
go to EMS
“set-outlookanywhere –Identity –IISauthenticationmethods basic,ntlm”
“set-outlookanywhere –Identity –Clientauthenticationmethods basic “
FOOTNOTE; If you know where things can go wrong and you know where to look for the solution you must be able to have this thing working within a few hours. Maybe there are better solutions for this with a better preparation. On the other hand you’ll always get something that does not work in your specific environment.
Hope that it can be of any help to anyone.