Changing a UCC/SAN Certificate and Re-Issuing from GoDaddy

Scenario

When initially setting up the Unified Communications Certificate (UCC) certificate for Exchange, autodiscover.domain.com was not added as a Subject Alternative Name (SAN).

You need to enable autodiscover in Exchange 2010 for external devices (iOS, laptop Outlook etc.) without a security warning.

Solution

The certificate needs to be updated with autodiscover.domain.com as a SAN.

These instructions pertain to a GoDaddy certificate – other providers will likely be different.

An A record had already been created in the domain’s DNS zone pointing autodiscover.domain.com to the public IP address of the router.

As it turns out, GoDaddy offer the opportunity to drop and replace SANs from their UCC certificates at will – with domain ownership validation required if any are added, of course.

Here are the steps:

Changing the SAN on the existing UCC

  1. Log into GoDaddy web site with user number and password
  2. Open the My Account section
  3. Expand SSL Certificates and click LAUNCH
  4. Click the name of the certificate to open it
  5. Click Manage
  6. Delete unnecessary SAN with the red x
  7. Add the required SAN (autodiscover.domain.com in this case)
  8. Click OK/Done

At this point, the certificate will exist in both the Issued (your old certificate) and the Pending (your to-be-validated new certificate.

Give GoDaddy some time to work on validating the new SAN – I waited a few hours, logged back in, opened the certificate in the Pending section, and saw that it had stopped at “Validating Domain” (I forget the exact wording, sorry), there was a link saying “What’s the hold up?” which I clicked.

I was told to perform some steps to validate domain control (of domain.com) by adding a TXT record with a code they provided – I did this, and the certificate was moved to the Issued section immediately.

Re-Keying the Certificate

In order to import the certificate successfully into Exchange, you must go through the process of generating a new request, then use that request to re-key the existing certificate with GoDaddy.

  1. Open Exchange Management Console
  2. Highlight the Server Configuration node
  3. At the far-right, click Generate New Certificate Request
  4. Go through the steps to define which services you will need to allocate to the certificate – making sure appropriate FQDNs are in place – note – the FQDNs you are requesting, including the Common Name and new SAN you added at GoDaddy, must match – just open your existing certificate, the Common Name is shown in the Subject field on the Details tab, and the others are listed in the Subject Alternative Name field.
  5. Compare the FQDNs listed in the summary during the certificate request wizard match the ones you have defined in the new GoDaddy certificate, adding and setting Common Name as necessary.
  6. Choose where to save the .req file (somewhere easy to find)
  7. Bring up your new certificate in the GoDaddy SSL Certificates control panel by clicking its name (the newer one was at the bottom of the list for me)
  8. Click the Re-Key icon
  9. Open your newly generated certreq.req in Notepad
  10. Copy everything (including the start and end of request indicators) to the clipboard
  11. Paste into the dialog box from GoDaddy and click OK (re-key?) – again I forget the exact word
  12. If you got everything right, the Re-Key will be successful
  13. Download the certificate to somewhere easy to find from your Exchange Server

Completing the Certificate Request

  1. Go back to Exchange Management Console and highlight Server Configuration
  2. Click Complete Pending Request at the far-right
  3. Specify the location of the certificate you downloaded – you will probably need to change the type of cert to BASE-64 in the drop-down
  4. Assuming success, go ahead and assign IIS, SMTP and whatever other services you want to the new certificate
  5. Test autodiscover functionality from outside the organisation

*** A big thank you to my fellow IT Pro friend Steve Baker for these notes ***

Comments

  1. rscrash says

    This was the most helpful post I could find on the subject. Met my needs expertly. Thanks for taking the time to document this.

  2. Steve Baker says

    Hey rscrash

    I’m very pleased that the steps were useful to you, and thank you for taking the time to feed back your experience!

    Best regards

    Steve

  3. Awesome post. EXACTLY what I needed. +1 for thanks

  4. 2 years on and still a handy article, thanks! And thank goodness we only have to play with these things every 3 years or so!