Exchange Server Forums

HELP SAN Cert ???

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [Microsoft Exchange 2007] >> Secure Messaging >> HELP SAN Cert ???

Page: [1]

Message

<< Older Topic Newer Topic >>

Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM

TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!

HELP SAN Cert ??? - 13.Dec.2007 1:59:26 PM

wade001

Posts: 35
Joined: 26.Nov.2007
Status: offline

I am building an EX07 environment that will span multiple AD sites and incorporate several CAS servers over time additional CAS servers will be installed. If i understand the SAN cert issue I can purchase a third part cert complied with all the internal and external common names that may be referenced by my clients when connecting but how do i reuse the same cert with each additional CAS server install? I intend to have two load balanced CAS servers in the default site that will handle internet request and proxy the request to the appropriate backend CAS server. In this scenario the internal CAS server will typically only be referenced by their internal FQDN to Outlook 2007 clients. I do not see how i can create a SAN cert that would then be reused by several CAS servers???

In our current EX03 environment we have two FE OWA servers supporting proxy for 43 backend servers in 35 sites. A shared common name allows us to use one SSL cert for this configuration... would like to simulate of 03 configs and avoid keeping track of 40 certs and expirations and the extra $$$ for more certs.

< Message edited by wade001 -- 13.Dec.2007 2:02:41 PM >

Post #: 1

Featured Links*

RE: HELP SAN Cert ??? - 13.Dec.2007 4:33:00 PM

Henrik Walther

Posts: 6835
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline

Amongst other things this article contains information on how you export a SAN cert from one server and import it on another:

http://www.msexchange.org/articles_tutorials/exchange-server-2007/high-availability-recovery/load-balancing-exchange-2007-client-access-servers-windows-network-technology-part3.html

_____________________________

HTH
Henrik Walther
Exchange MVP | MCM: Exchange 2007
MCITP: EMA, MCITP: EA, MCSE: M+S

Order my Exchange Server 2007 Book!

(in reply to wade001)

Post #: 2

RE: HELP SAN Cert ??? - 14.Dec.2007 9:05:23 AM

wade001

Posts: 35
Joined: 26.Nov.2007
Status: offline

Thanks for the response. My concern is with each new CAS server i bring up the SAN section of the copied cert would need to include the new CAS servers, netbios name and internal FQDN.

this is what makes me think i cannot reuse the orginal third party cert i create as it will not have the names of future CAS server names.

Also is there a requierment for the CN (common name) value to be one of the SAN names like owa.domain.com?? in your example the CN value is the root domain name only CN=Exchangehosting.dk

I am just confused as older certs the Common name was required to be the full URL.

< Message edited by wade001 -- 14.Dec.2007 4:56:15 PM >

(in reply to Henrik Walther)

Post #: 3

RE: HELP SAN Cert ??? - 20.Dec.2007 7:20:32 AM

wade001

Posts: 35
Joined: 26.Nov.2007
Status: offline

Digicert's website does a good job of explaining the common name issue.

What should I use for the Common Name?
Short answer: Use the name that would be used by your mobile devices. In most cases, this will be a FQDN which points to the public IP of your exchange server.
Long answer: The most common form of name matching is for the SSL client to compare the server name it connected to with the common name in the server's certificate. Common Name matching will be supported by all SSL clients.
Most mobile devices support Subject Alternative Names, and most support Wildcard certificates, but all of them support exact Common Name matching.
If the SSL client supports SANs (Subject Alternative Names) and there is a SAN extension in the server's certificate, then the client will ignore the subject common name entirely and try to match the server name to one of the names in the SAN list. (This is why you will always see the subject common name repeated in the SAN list.)

Windows Mobile 5 supports subject alternative names.
Newer Palm Treo devices use WM5, but the older ones run PalmOS and use VersaMail for ActiveSync.
The older Treos do not support SAN name matching.
There are other mobile devices that don't support SAN name matching either, so it's safest to set your common name to the name that most mobile devices will be using.
All popular browsers (IE, FF, Opera, Safari, Netscape) have supported SANs since 2003 (MS IE has supported them since in Windows 98)

(in reply to wade001)

Post #: 4