SSL's with Coexistent Servers
I am installing a new Exchange 2010 Server to coexist (temporarily) with an Exchange 2007 server. So obviously we will need a second SSL certificate. This is what technet says: Certificate Planning for Upgrade To support coexistence of Exchange 2003 and Exchange 2010, you'll likely have to obtain a new commercial certificate. We recommend that you obtain a certificate that supports Subject Alternative Names. However, a wildcard certificate is also supported. For more information about certificates, see Understanding Digital Certificates and SSL. To do this are we going to need two new SSLs? 1 for the new server as mail.domain.com 1 for the legacy server to replace the ssl it has now as mail.domain.com with legacy.domain.com. Or can we move the current SSL to the new server and create a new one for the legacy server? I don't understand how you do this without interrupting mail flow which was the whole point of doing a coexistent install.
August 11th, 2011 2:20pm

You move the old cert to E2010 CAS and create a new one for Exchange 2007 CAS. This has nothing to do with mailflow which is SMTP. lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
August 11th, 2011 2:38pm

So will we see any interruptions or get SSL prompts during that period when I move the SSL and request/install the new one? Thanks.
August 11th, 2011 3:34pm

No. copy old cert to E2010 will be unnoticed. creating and installing new on old server will be noticed if you dont include the old name in the cert as well. You can mitigate this by changing external connections to Exchange 2010 at teh same time as you enable new cert on old cerver. Then user will connect to E2010 instead of old server. Redirect or proxy to old server will then happen depending on protocol used. Another solution is if you have a reverseproxy. then get a new cert will multiple names. iSend traffic from reverseprody to different CAS depending name used in request from client. lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
August 11th, 2011 3:46pm

I am a little confused by what Common Name to put on the cert request for the legacy server now. It is autofilling the present FQDN but that does not correspond to any of the DNS changes for legacy.domain.com. Is that going to be a problem? Thanks for the answers.
August 11th, 2011 5:38pm

The name legacy is a name of your choice. how does your cert look today, do you have a cert with SAN. ie multiple subject names. is servers internal fqdn included? If you have a cert with SAN, I suggest you simply add the FQDN of the new server and legacy... and use it on both servers. lasse at humandata dot se, http://anewmessagehasarrived.blogspot.com
Free Windows Admin Tool Kit Click here and download it now
August 12th, 2011 6:14am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics