HELP SAN Cert ??? (Full Version)

All Forums >> [Microsoft Exchange 2007] >> Secure Messaging



Message

wade001 -> HELP SAN Cert ??? (13.Dec.2007 1:59:26 PM)

I am building an EX07 environment that will span multiple AD sites and incorporate several CAS servers over time additional CAS servers will be installed.  If i understand the SAN cert issue I can purchase a third part cert complied with all the internal and external common names that may be referenced by my clients when connecting but how do i reuse the same cert with each additional CAS server install? I intend to have two load balanced CAS servers in the default site that will handle internet request and proxy the request to the appropriate backend CAS server.  In this scenario the internal CAS server will typically only be referenced by their internal FQDN to Outlook 2007 clients.   I do not see how i can create a SAN cert that would then be reused by several CAS servers???

In our current EX03 environment we have two FE OWA servers supporting proxy for 43 backend servers in 35 sites.  A shared common name allows us to use one SSL cert for this configuration...  would like to simulate of 03 configs and avoid keeping track of 40 certs and expirations and the extra $$$ for more certs.



Henrik Walther -> RE: HELP SAN Cert ??? (13.Dec.2007 4:33:00 PM)

Amongst other things this article contains information on how you export a SAN cert from one server and import it on another:

http://www.msexchange.org/articles_tutorials/exchange-server-2007/high-availability-recovery/load-balancing-exchange-2007-client-access-servers-windows-network-technology-part3.html



wade001 -> RE: HELP SAN Cert ??? (14.Dec.2007 9:05:23 AM)

Thanks for the response. My concern is with each new CAS server i bring up the SAN section of the copied cert would need to include the new CAS servers, netbios name and internal FQDN.

this is what makes me think i cannot reuse the orginal third party cert i create as it will not have the names of future CAS server names. 

Also is there a requierment for the CN (common name) value to be one of the SAN names like owa.domain.com??   in your example the CN value is the root domain name only CN=Exchangehosting.dk 
 
I am just confused as older certs the Common name was required to be the full URL.



wade001 -> RE: HELP SAN Cert ??? (20.Dec.2007 7:20:32 AM)

Digicert's website does a good job of explaining the common name issue.

What should I use for the Common Name?
Short answer: Use the name that would be used by your mobile devices. In most cases, this will be a FQDN which points to the public IP of your exchange server.
Long answer: The most common form of name matching is for the SSL client to compare the server name it connected to with the common name in the server's certificate. Common Name matching will be supported by all SSL clients.
Most mobile devices support Subject Alternative Names, and most support Wildcard certificates, but all of them support exact Common Name matching.
If the SSL client supports SANs (Subject Alternative Names) and there is a SAN extension in the server's certificate, then the client will ignore the subject common name entirely and try to match the server name to one of the names in the SAN list. (This is why you will always see the subject common name repeated in the SAN list.)
  • Windows Mobile 5 supports subject alternative names.
  • Newer Palm Treo devices use WM5, but the older ones run PalmOS and use VersaMail for ActiveSync.
  • The older Treos do not support SAN name matching.
  • There are other mobile devices that don't support SAN name matching either, so it's safest to set your common name to the name that most mobile devices will be using.
  • All popular browsers (IE, FF, Opera, Safari, Netscape) have supported SANs since 2003 (MS IE has supported them since in Windows 98)



Page: [1]