questions about SAN certificate for Exchange 2007 OWA
We have an Exchange 2007 environment that’s been up and running for several years. We have an internal 2008R2 A/D certificate authority set up and have issued the Exchange certs from that. We also have OWA setup so that it can be accessed from outside, however, since the certificates are internal, the user’s get the certificate error. Management has been OK with that since external email access is only used by a small percentage of our users. However, we’re in the process of trying to fix this by purchasing a SAN certificate to put on the OWA server, however I’m running to some confusion on what entries I need to put into the “name”. We have a different internal DNS namespace from our external one. Our external OWA address is “Webmail.acme.com”, our internal is “webmail.acme.local” (obviously not our real domain names…) Some users also just put in “webmail” for the internal access. Since we’re limited to 4 names on the SAN (without paying more), I’d like to make sure I cover the ones I need, without setting up ones I don’t. Here’s my questions: On the OWA server, can I have multiple certs active for the “IIS” service? I’m wondering if I can install the purchased SAN cert for external site name(s) “Webmail.acme.com” but also continue to use the internally generated cert for “webmail.acme.local”, “webmail”, or any other internal names? We’re only using the certificate for the OWA and Activesync, not for the internal server to server SMTP/TLS communication, so am I correct in assuming I don’t need to include the actual server and netbios names on the SAN certificate? Pretty much the only email access from outside is via OWA and Activesync, so do we need to have the “autodiscover.acme.com” entry on the new SAN certificate? We’re not using “Outlook Anywhere” functions.
February 17th, 2011 5:11pm

(also posted in "secure Messaging" forum) We have an Exchange 2007 environment that’s been up and running for several years. We have an internal 2008R2 A/D certificate authority set up and have issued the Exchange certs from that. We also have OWA setup so that it can be accessed from outside, however, since the certificates are internal, the user’s get the certificate error. Management has been OK with that since external email access is only used by a small percentage of our users. However, we’re in the process of trying to fix this by purchasing a SAN certificate to put on the OWA server, however I’m running to some confusion on what entries I need to put into the “name”. We have a different internal DNS namespace from our external one. Our external OWA address is “Webmail.acme.com”, our internal is “webmail.acme.local” (obviously not our real domain names…) Some users also just put in “webmail” for the internal access. Since we’re limited to 4 names on the SAN (without paying more), I’d like to make sure I cover the ones I need, without setting up ones I don’t. Here’s my questions: On the OWA server, can I have multiple certs active for the “IIS” service? I’m wondering if I can install the purchased SAN cert for external site name(s) “Webmail.acme.com” but also continue to use the internally generated cert for “webmail.acme.local”, “webmail”, or any other internal names? We’re only using the certificate for the OWA and Activesync, not for the internal server to server SMTP/TLS communication, so am I correct in assuming I don’t need to include the actual server and netbios names on the SAN certificate? Pretty much the only email access from outside is via OWA and Activesync, so do we need to have the “autodiscover.acme.com” entry on the new SAN certificate? We’re not using “Outlook Anywhere” functions.
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2011 5:27pm

Hi, The easiest way of answering this is to include the names you are using. I normally use these: webmail.domain.com autodiscover.domain.com exchangeservername.domain.local exchangeservername If you are not using Outlook anywhere and are satisfied with setting up activesync manually as well you can exclude autodiscover. In your case it sounds like you will need these: webmail.domain.com webmail.domain.local webmail exchangeservername.domain.local (doesn't seem to be needed but I would include it since you have a fourth name available) /MartinExchange is a passion not just a collaboration software.
February 17th, 2011 5:46pm

(1) Use only one certificate for IIS service. (2) You do not need your internal FQDN or NETBIOS name of the server on the SAN certificate. Your SMTP/TLS communication uses your Exchange server's self-signed certificate, which has the FQDN, or in your case the one being issued from your ECA. (3) If you are not using Outlook Anywhere don't worry about any more than the webmail.acme.com name.
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2011 5:56pm

Thanks, that's what I was hoping.. So as long as I cover the names the names the users use for the OWA and Activesync URL, I'm covered.
February 17th, 2011 11:45pm

Thank you for the reply. One of the concerns I had about putting in the actual server name was that in the next several months we're probably going to Exchange 2010 and the OWA functions will be moved to a new server. So as long as point the "webmail" DNS alias for the OWA & Activesync functions to the new server, I can move the cert to the new OWA server and retire the original one.
Free Windows Admin Tool Kit Click here and download it now
February 17th, 2011 11:49pm

One more related question. On the actual certificate request, is the "CN=" portion of the "subjectname" also one of the names that the users would enter to get to the OWA? And then the "-domain name" entry list the alternate names that can be used? So if our certificate vendor says we can have four alternate names, does that mean we actually could have 5 names total? So if our CSR request powershell line would be: New-ExchangeCertificate -GenerateRequest -Path c:\webmail_acme_com.csr -KeySize 2048 -SubjectName "c=us, s=MyState, l=MyCity, o=MyOrg, ou=MyDept, cn=webmail.acme.com" -DomainName webmail.acme.local, webmail -PrivateKeyExportable $True This would allow our users to access by "webmail.acme.com", "webmail.acme.local", and "webmail". Is this correct?
February 18th, 2011 5:23pm

Hi, To be honest I haven't tried that, I always have the first SAN name the same as the CN, but in theory it should work like you have it listed. /MartinExchange is a passion not just a collaboration software.
Free Windows Admin Tool Kit Click here and download it now
February 19th, 2011 5:38am

I guess what I'm wondering is whether the "subjectname" parameter has to be the actual A/D name of the server, or if it can be one of the URL's. We're (hopefully) going to be migrating to Exchange 2010 in the next couple of months. What I'd like to do is have the OWA certificate not reflect the actual server name, so that if we put a new OWA server in for 2010, we can use the a new name and migrate the cert to that server, then decommission the 2007 one.
February 22nd, 2011 12:19pm

Hi, As long as you have the same external name (CN) it is normally never a problem getting the certificate reissued with the new servername, and then you can have a cert on each for a while without problems. There is also the option of using a single name cert, but that requieres some configuration as well, have a look at this article from Elan Shudnow: http://www.shudnow.net/2007/08/10/outlook-2007-certificate-error/ I know the article is for Exchange 2007, it can be used for 2010 as well. /MartinExchange is a passion not just a collaboration software.
Free Windows Admin Tool Kit Click here and download it now
February 22nd, 2011 1:55pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics