• RSS
  • Twitter
  • FaceBook

Exchange Server Forums

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

How to Create an SSL Cert with multiple subject alternative names?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [Microsoft Exchange 2007] >> Outlook Web Access >> How to Create an SSL Cert with multiple subject alternative names? Page: [1]
Login
Message << Older Topic   Newer Topic >>
How to Create an SSL Cert with multiple subject alterna... - 8.Apr.2007 11:15:33 PM   
hunglikethor

 

Posts: 59
Joined: 13.Oct.2006
Status: offline
I would like to create a SSL certificate with multiple subject alternative names with my internal PKI so that I can use ISA Server 2006 to secure OWA and ActiveSync. Importing the root CA to different machines and PDAs is pretty simple, but my ActiveSync fails because the SSL cert issued has a common name associated with the internal domain. This is not a problem with OWA, as teh warning can just be clicked thorugh by users. It is ActiveSync which does not allow this.

I found a knowledge base article, http://support.microsoft.com/kb/931351
which shows a way to do this. By default, a CA that is configured on a Windows Server 2003-based domain controller does not issue certificates that contain the Subject Alternative Name (SAN) extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.


certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

I have completed this step on my Windows 2003 enterprise sub CA. I did not on my Windows 2003 standalone root CA, as it only issues one CA every two years to the enterprise Sub CA.


The rest of the article shows how to request the certificate via Web GUI, and also via certreq. Another source shows how to create a request using the "New-ExchangeCertificate" in the Exchange Management Shell. The Exchange Managmeent Shell method would seem to be the better way to go. The Microsoft documentation at http://technet.microsoft.com/en-us/library/aaa995942.aspx is a little sketchy on details IMHO.

Has anyone created a SSL cert with multiple SANs using an internal Windows 2003 enterprise subCA and could provide me with a detailed step-by-step or a web link?

Thanks in advance!


Edward Ray
Post #: 1
RE: How to Create an SSL Cert with multiple subject alt... - 12.Apr.2007 8:19:47 PM   
myersnet@comcast.net

 

Posts: 2
Joined: 12.Apr.2007
Status: offline
After speaking with MSFT today, they admitted that ISA 2006 with SAN (subject alternative name) certificates is not supported and does not work - yet. Hopefully, a hot fix will be coming shortly. The only way to effectively accomplish the same result is to use multiple IP addressess on the public side of ISA, with multiple SSL certs bound to the Web Listeners, pointing to the internal Exchange 2007 web sites. Oh, don't try using wildcard certificates either - Exchang 2007 doesn't support using wildcard certs.

(in reply to hunglikethor)
Post #: 2
RE: How to Create an SSL Cert with multiple subject alt... - 13.Apr.2007 1:37:48 AM   
Henrik Walther

 

Posts: 6928
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
I can confirm this too and it's a big dissapointment. But I also know the respective ISA team is working hard on a fix for this issue.


_____________________________

HTH
Henrik Walther
Lead Moderator/author
MSExchange.org

Follow me on Twitter!

(in reply to myersnet@comcast.net)
Post #: 3
RE: How to Create an SSL Cert with multiple subject alt... - 13.Apr.2007 12:27:27 PM   
hunglikethor

 

Posts: 59
Joined: 13.Oct.2006
Status: offline
I hope they come up with a fix before I head to Europe next month :)

In the meantime, could you point me to a HOW-TO on using multiple certificates on the same exchange 2007/IIS box and multiple SSL listners on ISA 2006?

More to the point, is there a way to name a cert with the common name of the external IP address (ISA Server 2006) that can be used on the internal exchange 2007 box with has a xx.yy.local domain name (where yy.local is the internal AD domain)?

(in reply to Henrik Walther)
Post #: 4
RE: How to Create an SSL Cert with multiple subject alt... - 13.Apr.2007 10:06:08 PM   
myersnet@comcast.net

 

Posts: 2
Joined: 12.Apr.2007
Status: offline
For a good reference to publishing Exchange Server 2007 with ISA Server 2006, see the following URL link:

http://www.microsoft.com/technet/isa/2006/deployment/exchange.mspx

The article is called: Publishing Exchange Server2007 with ISA Server 2006, dated January 31, 2007.

A second reference for ISA 2006 Authentication is:

http://www.microsoft.com/technet/isa/2006/authentication.mspx

The article is called: Authentication is ISA Server 2006, dated unknown.


One other good article on certficates with Exchange 2007 is at:

https://blogs.pointbridge.com/Blogs/greve_david/Lists/Posts/Post.aspx?ID=8

These articles will help.

Mark Myers

(in reply to hunglikethor)
Post #: 5

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [Microsoft Exchange 2007] >> Outlook Web Access >> How to Create an SSL Cert with multiple subject alternative names? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts


Follow TechGenix on Twitter