No SAN for Internal Domains anymore ? (Full Version)

All Forums >> [Microsoft Exchange 2007] >> Secure Messaging


DanJay -> No SAN for Internal Domains anymore ? (2.Sep.2013 8:37:26 AM)

Dear all,

got a notification eMail from the CA today that our UCC/SAN Cert was about to expire
in some time. Purchased renewal of our 5-domain UCC for a buncha bucks and wondered why the CA wouldn't accept our 2 internal names for the exchange box. I learned after some reading that this functionality has been dropped to stick to some industry-wide phasing-out of these internal domain names that's obviously in the making for some time now and becomes mandatory for any CA in 2016.

Well - am I really supposed to use ANOTHER internal! CA for our our internal
domain names ? How do you guys go about the forthcoming fun autodiscover will please you with ?


de.blackman -> RE: No SAN for Internal Domains anymore ? (3.Sep.2013 8:07:31 AM)

Most of my clients have split-DNS so that their internal domain name and their external domain names are identical. I assume this is not the case for you? If so, is this an option for your organization to use (making sure you are aware of the ramifications of this action)?

FlyGuyBC -> RE: No SAN for Internal Domains anymore ? (5.Sep.2013 1:13:39 PM)

I am in the same position you are. Not sure how to deal with it yet.
Also, I have not yet tried to install and configure a certificate for Exchange 2007. My cert expires tomorrow. Can anyone recommend any suggestions or Gotchas to look out for when doing this ? I found instructions both on Digicert's and Go Daddy's site for applying this cert. I just can't believe that it is going to be that straight forward.

Currently our cert is a single cert that only has IIS configured. will it hurt to add SMTP, UM and IIS ? I purchased a UC Cert so I could add AutoDiscovery.

I'm still trying to determine what will not work if I try replacing our expiring cert and it doesn't install correctly.

Any thoughts would be greatly appreciated. I'm reading as much as I can but haven't found these answers yet.

de.blackman -> RE: No SAN for Internal Domains anymore ? (6.Sep.2013 8:06:59 AM)


the process is really that straight forward as long as you follow the instructions (I assume these are the instructions you are referring to The main thing you want to verify after you install the certificate and before you assign services to it is that the certificate is installed with a private key.

Adding SMTP and UM services to the certificate will not hurt. It simply means that if you have more than one exchange server in the environment running the hub transport role, they will communicate over TLS using this certificate as opposed to the self-signed one created by exchange.

If the certificate is not installed correctly, everything will work normally except that your users in Outlook and those connecting through OWA or ActiveSync will be receiving certificate prompts. ActiveSync users may experiencing connectivity issues and may not sync.

FlyGuyBC -> RE: No SAN for Internal Domains anymore ? (6.Sep.2013 10:06:25 AM)

I'm assuming that you can install the certificate and check everything without negatively effecting anything ? It's when you enable it that it takes effect ?

FlyGuyBC -> RE: No SAN for Internal Domains anymore ? (10.Sep.2013 9:34:52 AM)

For anyone else performing this, it is straight forward and if you follow the directions, if your certificate is correct you should not have any issues. One thing I noticed was that the private key was not associated with my certificate and I needed to rekey it a couple times (Go Daddy Cert). There are 2 thumbprints created during the process. Once I used the correct one the cert imported fine. You can import the cert in advance to insure you have it imported correctly long before you enable it. That way if you run into issues you have time to correct them before your old cert expires.

Dan_Drums -> RE: No SAN for Internal Domains anymore ? (26.Sep.2013 7:07:38 AM)

I'm the original poster who has lost the site credentials due to a hardware crash
(and apparently my short-term memory doesn't serve like it used to do for the last 4 decades [8|]

I recertified our E2K7 box at Godaddy. Due to the discussed phasing-out of intranet domain names, I used the autodiscover.extdom and hostname.extdom SANs.
Installed and imported, rekeyed, enabled, all fine. Now I run into the issue that Outlook 2010 Clients will popup a security warning as per KB 940726.
I altered the internal URIs as per these instructions within the E2K7 management shell.

Our DNS authorizes several domains, one internal .local and two external domains.
There is split DNS in place.
The SANs in the cert are now pointing to entries in one
of the external domains ( AND the internal .local as the CAS server is AD member ) as per the above article. Now, I fed the DNS manually
as follows with both resources in both domains:

hostname|autodiscover.[local] ->

hostname|autodiscover.[extdom] ->

Outlook KEEPS popping up and states that hostname.local doesn't match the SAN pointing to extdom.tld

I cleared both client and server DNS cache/s, had the datafiles re-read, no joy.

Can some kind person shed some light on this ?


Page: [1]