Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
interal Rootca instead of self-signed certificates
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
interal Rootca instead of self-signed certificates - 3.Feb.2008 8:16:37 AM
|
|
|
theRob
Posts: 44
Joined: 10.May2004
From: The Netherlands
Status: offline
|
Hi,
I am struggeling with a design question.
The last exchange 2007 implementation i only had the exchange servers in a single site. Every year the certificates must be renewed, this is no problem because i created a chapter about this in my technical design and created a howto.
For a new design i have multiple locations with mailbox and hub transport servers, and in the main site two edge transport servers.
Instead of generating new certs every year i want to use a standalone root ca only for exchange.
Is this a good idea or are there any gotcha's i have to consider?
Thanks in advance
|
|
|
|
RE: interal Rootca instead of self-signed certificates - 9.Feb.2008 8:53:42 AM
|
|
|
theRob
Posts: 44
Joined: 10.May2004
From: The Netherlands
Status: offline
|
We tested the setup by using a standalone rootca to issue certificates to all hub and egde transport servers. For a good test, we first installed the hub transport and edge transport servers, created a edge subscription.
After all was working we then replaced the certificates with one from the standalone root ca. For the edge transport servers, you must recreate a new edge subscription and restart the ADAM instance.
After that all worked well.
|
|
|
|
|
RE: interal Rootca instead of self-signed certificates - 10.Feb.2008 4:54:24 PM
|
|
|
Henrik Walther
Posts: 6928
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
That should work fine without any gotcha's.
BTW bear in mind the default self-signed certificate installed during Exchange 2007 setup should only be a temporary solution, that should be replaced by a cert either issued via an internal PKI or a 3rd party certificate provider.
_____________________________
HTH
Henrik Walther
Lead Moderator/author
MSExchange.org
Follow me on Twitter!
|
|
|
|
|
RE: interal Rootca instead of self-signed certificates - 11.Feb.2008 1:52:23 AM
|
|
|
theRob
Posts: 44
Joined: 10.May2004
From: The Netherlands
Status: offline
|
Hi Henrik,
I have seen dome docs on technet regarding self signed certificates.
They say it's best practice to renew the self signed certificates, and not replace them with internal root CA certs.
Regards,
Rob
|
|
|
|
|
RE: interal Rootca instead of self-signed certificates - 12.Feb.2008 1:05:33 PM
|
|
|
theRob
Posts: 44
Joined: 10.May2004
From: The Netherlands
Status: offline
|
Henrik,
I knwo the CAS servers need proper certificates, i was referring to hub and edge transport servers.
Regards,
Rob
|
|
|
|
|
RE: interal Rootca instead of self-signed certificates - 12.Feb.2008 2:21:52 PM
|
|
|
Henrik Walther
Posts: 6928
Joined: 21.Nov.2002
From: Copenhagen, Denmark
Status: offline
|
Yes I agree it doesn't make sense to replace the self-signed certs for transport servers, but because they expire every year it might be an idea to use certs issued by an internal PKI.
Yes I know that although teh self-signed cert expires, things doesn't break but it's not a good practice to use expired certs in the long run.
_____________________________
HTH
Henrik Walther
Lead Moderator/author
MSExchange.org
Follow me on Twitter!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
