I would like to create a SSL certificate with multiple subject alternative names with my internal PKI so that I can use ISA Server 2006 to secure OWA and ActiveSync. Importing the root CA to different machines and PDAs is pretty simple, but my ActiveSync fails because the SSL cert issued has a common name associated with the internal domain. This is not a problem with OWA, as teh warning can just be clicked thorugh by users. It is ActiveSync which does not allow this.
I found a knowledge base article, http://support.microsoft.com/kb/931351 which shows a way to do this. By default, a CA that is configured on a Windows Server 2003-based domain controller does not issue certificates that contain the Subject Alternative Name (SAN) extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 net stop certsvc net start certsvc
I have completed this step on my Windows 2003 enterprise sub CA. I did not on my Windows 2003 standalone root CA, as it only issues one CA every two years to the enterprise Sub CA.
The rest of the article shows how to request the certificate via Web GUI, and also via certreq. Another source shows how to create a request using the "New-ExchangeCertificate" in the Exchange Management Shell. The Exchange Managmeent Shell method would seem to be the better way to go. The Microsoft documentation at http://technet.microsoft.com/en-us/library/aaa995942.aspx is a little sketchy on details IMHO.
Has anyone created a SSL cert with multiple SANs using an internal Windows 2003 enterprise subCA and could provide me with a detailed step-by-step or a web link?
After speaking with MSFT today, they admitted that ISA 2006 with SAN (subject alternative name) certificates is not supported and does not work - yet. Hopefully, a hot fix will be coming shortly. The only way to effectively accomplish the same result is to use multiple IP addressess on the public side of ISA, with multiple SSL certs bound to the Web Listeners, pointing to the internal Exchange 2007 web sites. Oh, don't try using wildcard certificates either - Exchang 2007 doesn't support using wildcard certs.
I hope they come up with a fix before I head to Europe next month :)
In the meantime, could you point me to a HOW-TO on using multiple certificates on the same exchange 2007/IIS box and multiple SSL listners on ISA 2006?
More to the point, is there a way to name a cert with the common name of the external IP address (ISA Server 2006) that can be used on the internal exchange 2007 box with has a xx.yy.local domain name (where yy.local is the internal AD domain)?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [Microsoft Exchange 2007] >> Outlook Web Access >> How to Create an SSL Cert with multiple subject alternative names? 
How to Create an SSL Cert with multiple subject alterna... - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread
