×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Certificate changes - no internal names

Certificate changes - no internal names

Certificate changes - no internal names

(OP)
Our 2x E2K10SP3 CA servers have certificate with the names (changed for anonymity):

CN webmail.mydomain.com
SAN autodiscover.mydomain.com
SAN autodiscover.domain.local
SAN exca1.domain.local
SAN exca2.domain.local
SAN mail.mydomain.com

The certificate is going to expire in a few months. Entering the CSR on Thawte's website gives the message:

Quote:

Due to new CA/Browser Forum changes, we no longer support internal server names or IP addresses for certificates that expire after November 1, 2015. Shorten your validity period or enter a fully qualified domain name to continue

Where to from here?

Do I really need the .domain.local SANs? If I remove the .domain.local SANs will everything work? I'm dubious about removing them - they must've been put in for a reason. Or if I remove them do other changes need to be made elsewhere?

RE: Certificate changes - no internal names

All you need to do is pick some public names to use internally, and add those as additional internal DNS forward lookup zones. Then configure your CAS vdirs to use those names.

So if you need to have exca1.mydomain.com for your internal name, then you'd create a DNS forward-lookup zone for exca1.mydomain.com and then create a blank A-record in that zone that maps to your internal IP for that server.

Another approach that I actually use way more often is to collapse the names into a single-name cert. So if the CN is webmail.mydomain.com, I make that the internal name of the server too, and I create the DNS FLZ in the same way I described above. Then you need to set all the internal vdir URLS properly, something like this:

CODE

Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -InternalUrl https://webmail.mydomain.com/Microsoft-Server-ActiveSync

Get-ECPVirtualDirectory | Set-ECPVirtualDirectory -InternalUrl https://webmail.mydomain.com/ECP

Get-OabVirtualDirectory | Set-OABVirtualDirectory -InternalUrl https://webmail.mydomain.com/OAB

Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -InternalUrl https://webmail.mydomain.com/EWS/Exchange.asmx

Get-ClientAccessServer | Set-ClientAccessServer -AutodiscoverInternalURI https://webmail.mydomain.com/Autodiscover/Autodiscover.xml 

In this situation, with a single-name cert, you would also get rid of your public Autodiscover record. You can read more about how the Autodiscover bit works in an article I wrote here:

http://www.thirdtier.net/2011/06/setting-up-autodi...

Dave Shackelford
ThirdTier.net

RE: Certificate changes - no internal names

(OP)
Thanks for that. Maybe I should've added that I already have internal DNS servers that resolve for mydomain.com so it may already be ok.

Public DNS for webmail.mydomain.com is 123.123.123.001 (on Internet, firewall forwards to DMZ)
Private DNS for webmail.mydomain.com is 172.20.95.32 (in the DMZ)

Public DNS for autodiscover.mydomain.com is 123.123.123.001 (same as webmail.....)
Private DNS for autodiscover.mydomain.com is 172.20.95.30 (an IP on exca1.domain.local)

Private DNS for exca1.domain.local is 172.20.95.30
Private DNS for exca2.domain.local is 172.20.95.33

Private DNS for exms2010.domain.local is 172.20.95.32

NLB on EXCA1/EXCA2 is named exms2010.domain.local

I'm thinking that the NLB needs to change from exms2010.grammar.local to webmail.mydomain.com

RE: Certificate changes - no internal names

I'd agree with you there.

And of course, you'd need a multi-name cert, since you can't collapse all roles into a single URL. You still need to maintain the separate URLs.

The powershell I posted earlier wouldn't be correct, since I was assuming a single-server environment. You get the idea though: you want the internal names to be ones that you can put on a cert: ie, public.

Dave Shackelford
ThirdTier.net

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close