interal Rootca instead of self-signed certificates

interal Rootca instead of self-signed certificates (Full Version)

All Forums >> [Microsoft Exchange 2007] >> Message Routing

Message

theRob -> interal Rootca instead of self-signed certificates (3.Feb.2008 8:16:37 AM)
Hi, I am struggeling with a design question. The last exchange 2007 implementation i only had the exchange servers in a single site. Every year the certificates must be renewed, this is no problem because i created a chapter about this in my technical design and created a howto. For a new design i have multiple locations with mailbox and hub transport servers, and in the main site two edge transport servers. Instead of generating new certs every year i want to use a standalone root ca only for exchange. Is this a good idea or are there any gotcha's i have to consider? Thanks in advance

theRob -> RE: interal Rootca instead of self-signed certificates (9.Feb.2008 8:53:42 AM)
We tested the setup by using a standalone rootca to issue certificates to all hub and egde transport servers. For a good test, we first installed the hub transport and edge transport servers, created a edge subscription. After all was working we then replaced the certificates with one from the standalone root ca. For the edge transport servers, you must recreate a new edge subscription and restart the ADAM instance. After that all worked well.

Henrik Walther -> RE: interal Rootca instead of self-signed certificates (10.Feb.2008 4:54:24 PM)
That should work fine without any gotcha's. BTW bear in mind the default self-signed certificate installed during Exchange 2007 setup should only be a temporary solution, that should be replaced by a cert either issued via an internal PKI or a 3rd party certificate provider.

theRob -> RE: interal Rootca instead of self-signed certificates (11.Feb.2008 1:52:23 AM)
Hi Henrik, I have seen dome docs on technet regarding self signed certificates. They say it's best practice to renew the self signed certificates, and not replace them with internal root CA certs. Regards, Rob

Henrik Walther -> RE: interal Rootca instead of self-signed certificates (11.Feb.2008 9:36:39 AM)
Well then it's time to check out the documentation on this: http://technet.microsoft.com/en-us/library/bb332063.aspx

theRob -> RE: interal Rootca instead of self-signed certificates (12.Feb.2008 1:05:33 PM)
Henrik, I knwo the CAS servers need proper certificates, i was referring to hub and edge transport servers. Regards, Rob

Henrik Walther -> RE: interal Rootca instead of self-signed certificates (12.Feb.2008 2:21:52 PM)
Yes I agree it doesn't make sense to replace the self-signed certs for transport servers, but because they expire every year it might be an idea to use certs issued by an internal PKI. Yes I know that although teh self-signed cert expires, things doesn't break but it's not a good practice to use expired certs in the long run.

Page: [1]