Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Required SSL certs
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Required SSL certs - 27.May2008 12:58:57 PM
|
|
|
hywaydave
Posts: 122
Joined: 9.Mar.2006
Status: offline
|
Currently I only have a single Exchange 2003 BE server with a trusted CA SSL certificate for email.mydomain.com. I use this certificate for OWA, Smart Phones, and RPC over Https.
I recently installed an Exchange 2007 CAS/HUB server and plan to have all clients connect to it for OWA, Smart Phones, and Outlook Anywhere. Will my old SSL certificate work if I just export and import, or do I need a special type of certificate like a UCC certificate if I have all of these services (OWA, ActiveSync, and Outlook Anywhere) pointing to a single domain name (email.mydomain.com)?
Thanks,
Dave
|
|
|
|
|
RE: Required SSL certs - 27.May2008 1:59:07 PM
|
|
|
Sembee
Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
SSL certificates are a pain with Exchange 2007.
Ideally you need a SAN certificate with the following names
server.domain.local (ie the real name of the server)
owa.domain.com (ie the name you want to use for OWA)
autodiscover.domain.com
While Exchange can be deployed with a single name certificate like you have now, it does involve jumping through quite a few hoops to get working correctly, and does require some specific setup parameters to work.
My recommendation would be to purchase a SAN certificate. You can get those pretty cheaply now from places such as GoDaddy ( http://CertificatesForExchange.com/ )
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/
|
|
|
|
|
RE: Required SSL certs - 27.May2008 2:09:40 PM
|
|
|
hywaydave
Posts: 122
Joined: 9.Mar.2006
Status: offline
|
Thanks,
My AD domain is different than my SMTP domain. Let's use yourdomain.com as my AD and mydomain.com as my STMP in this example. Currently my users connect to email.mydomain.com for OWA, RPC, and ActiveSync on the 2003 BE Exchange server. On my 2007 CAS server, should I create a UCC certificate with the following:
servername.yourdomain.com (real name of server with AD domain)
email.mydomain.com (OWA, Outlook Anywhere, ActiveSynce using SMTP domain)
autodiscover.mydomain.com (Autodiscover service using SMTP domain)
Do I also need to run the following commands on my CAS and will this have any affect on how my 2003 BE server currently functions before I move everything? Could you send me the necessary steps I need to take to make this a smooth transition?
Thanks again Sembee!
Dave
|
|
|
|
|
RE: Required SSL certs - 27.May2008 5:50:50 PM
|
|
|
Sembee
Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
It doesn't matter what the domains being used are, you just need to ensure that they are all in the certificate. If you don't want to have make changes to the client then ensure that one of the names on the certificate matches your current name.
I use this web page to create the request: https://www.digicert.com/easy-csr/exchange2007.htm
If you look at that site it also has some useful information on the use of the certificates and the SAN names.
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/
|
|
|
|
|
RE: Required SSL certs - 27.May2008 6:57:59 PM
|
|
|
hywaydave
Posts: 122
Joined: 9.Mar.2006
Status: offline
|
quote:
ORIGINAL: Sembee
It doesn't matter what the domains being used are, you just need to ensure that they are all in the certificate. If you don't want to have make changes to the client then ensure that one of the names on the certificate matches your current name.
Current name as in the NetBIOS name of the Exchange server or the FQDN? I used the servername.ADdomain.com, along with email.smtpdomain.com and autodiscover.smtpdomain.com in my UCC certificate. That should work shouldn't it?
|
|
|
|
|
RE: Required SSL certs - 29.May2008 8:58:42 AM
|
|
|
Sembee
Posts: 4093
Joined: 17.Jan.2008
From: Somewhere near London, UK
Status: offline
|
Current name as in what the clients are already using. So if the clients are all configured to use mail.domain.com then that needs to be in the certificate.
I did an UCC certificate just yesterday, and that supported five names, so I adjusted the list to:
mail.domain.com (which was the common name)
autodiscover.domain.com
server.domain.local
server (ie just the NETBIOS name).
Simon.
_____________________________
Simon Butler,
Exchange MVP
Blog: http://blog.sembee.co.uk/
Web: http://www.amset.info/
In the UK? Hire me: http://www.sembee.co.uk/
Exchange Resources: http://exbpa.com/
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
