New SSL Certificate - Reconfiguring Exchange to use FQDN - Exchange 2010 SP3

We are using Exchange 2010 SP3.

Our SSL certificate in Exchange is approaching expiration.  I used the "New Exchange Certificate..." wizard to create a new certificate request.  In this process there are certain internal host names added as Subject Alternative Names, including the internal client access server name.  

While submitting the CSR to godaddy that is when I learned it is no longer possible to include internal domain names on a public SSL certificate.   (More info: GoDaddy's explanation of the changes

I have found various websites which provide tools and instructions to reconfigure Exchange Server to use your external fully qualified domain name.  (Example of GoDaddy's instructions, and Example of Digicert's instructions)

This process includes the following:  

1. Changing the Autodiscover URL

2. Changing the InternalURL attribute of the EWS

3. Changing the InternalURL attirbute for web-based offline address book distribution

My question is in regards to internal Microsoft Outlook Client mapi users.  When I look at the account settings in Outlook the server is the internal host name of the client access server.  

Since the internal host name of the client access server will not be in the SSL certificate will Outlook break?

Do I need to manually change this for all internal mapi clients?  Or will autodiscover take care of it?  The self signed certificate for the internal name of the client access server is still valid, is that all the internal clients need?  

Thanks anyone.

July 16th, 2015 6:05pm

Hi Patrick,

Depending of your internal domain, this domain can not be added in the public certificate.

Try it....Remove the internal names.

Free Windows Admin Tool Kit Click here and download it now
July 16th, 2015 6:25pm

Hello Thiago,

Yes, you are correct, and that is the point of my question.  I'm trying to figure out how MAPI clients will react when the SSL certificate is changed to only include the FQDN, which the internal hostname of the client access server will not match.

For example:  My Outlook Client has the server name entered as: servername.domain.local

Which will not match the new SSL cert that has the mail.domain.com domain.

July 16th, 2015 6:42pm

Patrick,

You can create a internal certificate with FQDN server names.

Free Windows Admin Tool Kit Click here and download it now
July 16th, 2015 7:00pm

Hi,

For now, .local cannot be used on public certificate, we can configure split-DNS to host internal DNS zone for mail.domain.com. Then we can change all VD, autodiscover and etc to mail.domain.com.

Here's an similar thread about your question, for your reference:
https://social.technet.microsoft.com/Forums/office/en-US/80055b41-9bb4-4f33-9693-41a16230b243/reconfigure-exchange-2010-to-use-the-fqdn?forum=exchangesvrunifiedmessaging

If we reconfigure VD, we might repair or re-configure Outlook profile to connect to Exchange server.

Thanks

July 16th, 2015 10:40pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics