SSL Cert/Exchange question

[AFurryReptile]

Hopefully a quick question here:

My company will be moving our Exchange server from one colocation provider to another in the coming month, and I am curious to know how this will affect the SSL certificate. My understanding is that SSL certificates from a root provider are created per-domain, and indeed we have it set up as such: mail.****.com, ****.com, autodiscover.****.com, and exch.local.

Because of this, all I should need to do is forward my domains to the new IP address, correct? There should be no need to re-key the cert? This will be the first time I have done such a thing and I would like to make the transition as smooth as possible.

Thanks for any help guys

 

[spidey07]

The cert is tied to the fully qualified domain name, not the IP. You'll be fine cert wise.

 

[AFurryReptile]

The cert is tied to the fully qualified domain name, not the IP. You'll be fine cert wise.

That's what I thought. Awesome, thanks!

 

[Lithium381]

The cert is tied to the fully qualified domain name, not the IP. You'll be fine cert wise.

Be careful, you *CAN* tie a cert to an IP address, if you use that as the hostname/CN when getting it signed. . . which can cause some issues with trust

 

[spidey07]

Be careful, you *CAN* tie a cert to an IP address, if you use that as the hostname/CN when getting it signed. . . which can cause some issues with trust

LOL! Will the public cert authorities even allow you to? That would be dumb.

 

[drebo]

LOL! Will the public cert authorities even allow you to? That would be dumb.

Probably not, but you could add an IP address to the SAN on a cert, similarly to how you'd add a non-public TLD. Either way, cert authorities will reissue SAN changes very easily.

 

[Jamsan]

Don't forget to also export the private key(s) when exporting the certificates. Those will be required to decrypt the traffic on the new provider.

 

[AFurryReptile]

Don't forget to also export the private key(s) when exporting the certificates. Those will be required to decrypt the traffic on the new provider.

It's the same server, same cert provider. I'm literally just moving the the server from one location to another. Even the internal IP will stay the same.

And yeah, no IP addresses in my FQDN

 

[Lithium381]

LOL! Will the public cert authorities even allow you to? That would be dumb.

Don't think i've ever tried with the big cert-houses . . . but I've run across this when people use an internal company CA or whatnot and accidentally type in the IP instead of the FQDN

 

[AFurryReptile]

Hey guys,

Sorry to bump but I have a second, related question:

I kindof inherited the server, but had to purchase a firewall and spam filter. My understanding is that since Exchange is already configured to use RPC, I should be able to simply forward port 443 to the server and client access won't be affected.

However, I believe that I will need to modify the send connector to point at the spam firewall on port 25, and the spam firewall outbound on port 25. Similarly, my receive connectors should accept mail from the spam firewall, which in turn is accepting mail from the outside (port 587 for client, 25 for default). I'm a little confused about this, because some things I've read lead me to believe that mail is received on 443 as well.

Hopefully this makes sense. If there are any ports I'm forgetting, or if I'm opening up too much, I'd appreciate any advice. Unfortunately, I do not currently have access to the firewall in use, so I can't just check the port mappings.

Thanks guys!

Edit: I should note that we are using Outlook Anywhere. So essentially, I need to forward port 25 inbound/outbound, 443 inbound for client access, and (possibly) 587 for the 'client' receive connector. Is this all?