hi thanks, so: keep the cert

Daniel Espley · ‎01-29-2015

Hi,

We have ironport c170 and Exchange 2010. Our GoDaddy certificate is installed on the exchange server and is enabled for SMTP. We want to enable TLS on the ironport but we have to install a certificate there as well to match the domain name so my question is do we need two certificates or do i just move the one we have from exchange to ironport? If the certificate is installed on the ironport then we shouldn't need on the exchange anymore?

Thanks

Ken Stieers · ‎01-29-2015

What kind of cert is it? Wildcard? SAN? or just a single name?

What's the name on it? What do your MX records look like? What else are you running on the Exchange box that might need a cert (OWA? IMAP? etc)

The cert on the ironport doesn't have to match the domain, it has match the MX/A record for the domain.

Daniel Espley · ‎01-29-2015

its a SAN on the Exchange - the name matches our MX record, we run OWA and IMAP also on the Exchange. The cert on the Ironport must match our MX record. So do we just move the cert from the server to the ironport because thats where the emails are routed or do we get another cert for ironport that also matches our MX?

Ken Stieers · ‎01-29-2015

Export it from exchange, put it on the ironport.

You don't have to buy a separate one.

You may need to change the defautl receive connector config on the Exchange box so it doesn't have the same name as your MX any longer. And un-assign the cert from SMTP... if you want TLS between exchange and ironport, you can assign the cert that Exchange created at install to SMTP.

Daniel Espley · ‎01-29-2015

hi thanks, so:

keep the cert on the exchange and remove SMTP but keep IMAP etc

export the cert and install on the ironport

change default receive connector FQDN to something else

can you clarify the last bit again - "if you want TLS between exchange and ironport, you can assign the cert that Exchange created at install to SMTP"

i didn't understand that part

thanks

Ken Stieers · ‎01-29-2015

You can have TLS turned on between the Exchange box and the Ironport box.

Exchange will need a cert, but you don't want to use the cert that you're using now.

When Exchange was installed, it created a cert that matches the machine name of the box it got installed on. You can assign that one to SMTP if you need it.

I don't run TLS between the SMTP box and Ironport, some people do...

Daniel Espley · ‎02-24-2015

thanks - i sorted it by exporting from exchange and into ironport

thanks again

ShivaNaidu · ‎02-06-2024

To activate TLS on the IronPort, you will need to use a separate certificate. While your GoDaddy certificate on the Exchange server encrypts email traffic, the IronPort requires a separate certificate.

Moving an old certificate from Exchange to IronPort is not recommended because each device need its own certificate for security reasons.

Obtain a fresh certificate for the IronPort that includes the correct domain name to ensure secure TLS connections. Keep the GoDaddy certificate on the Exchange server to ensure secure communication.

Having different certificates for each device ensures that they may independently confirm their identities, hence improving overall security.

To know more about "SSL Certificate Installation", You can follow the Cheap SSL Shop's Blog >>>> www. cheapsslshop. com / csr-generation-ssl-installation-tutorials