Solved

Certificate Common Name

Posted on 2008-09-29
6
836 Views
Last Modified: 2012-08-14
I am looking in to using a self published SSL certificate in order that we can start using Exchange ActiveSync at one of our offices. I've read the FAQ at
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
which explains things pretty well, except for one point.

At the point where you choose the certificate common name, the article says you need to pay extra special attention to the common name, as it reflects the FQDN of your mail server. He then adds a note about ISPs often setting the A record.

However, our A record points to our spam/virus/content filtering service, who then forward mail to our mail server by IP, not hostname. We therefore don't have an FQDN for our mail server. At present I have a test device accessing ActiveSync by IP address, and all OWA access is by IP address.

My question therefore is, given that I don't have an FQDN, what should I use as the Certificate Common Name? Does it matter in this context, if all OWA & ActiveSync connections are made using an IP address and not a hostname?

Thanks in advance.
0
Comment
Question by:Ekithump
  • 3
  • 3
6 Comments
 
LVL 7

Expert Comment

by:vikasjus
ID: 22595602
In this case you will have to host your certificate server to internet.
MS ISA will help you in publishing certificate server to internet.
Register different A record which will point to owa and Active sync.
0
 
LVL 1

Author Comment

by:Ekithump
ID: 22595878
Thanks for your reply vikasjus.
We don't run an ISA server, and must admit I don't fancy opening up the Exchange box to any more public exposure than it's already got if I can avoid it.
I take it from your answer that the Certificate Common Name HAS to correspond to an A record FQDN? Is that correct?

0
 
LVL 7

Expert Comment

by:vikasjus
ID: 22595999
No, A record is just pointer which will point to webmail or a. sync of your mail server. It has nothing to do with certificate. FQDN can be your internal host name fqdn but it should be authorised by some one which is certificate server. unless you host your certificate server it will not authenticate ssl request. There are service providers who give certificate at offerdabel cost. check with them.
0
Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

 
LVL 1

Author Comment

by:Ekithump
ID: 22597255
Thanks for the reply, however I'm still somewhat confused, so I'll summarise my understanding from what you've said, assuming that I'll be hosting my self published certificate on the Exchange box.

1 Register a new A record that points to the mail server (which is hosting activesync, OWA, certificate, et al)
2 Create the certificate with a Common Name equal to the FQDN of the mail server, even though that FQDN isn't publicly accessible.
3 Install the certificate on the ActiveSync devices
4 Configure ActiveSync devices with the server IP address as before, but using SSL

Does that sound about right?

Re-reading my original question, I see I might have muddied the waters by saying our mail server doesn't have an FQDN - of course it does, it's just not a publicly accessible one.

0
 
LVL 7

Accepted Solution

by:
vikasjus earned 250 total points
ID: 22603061
Some what it is, still go through below steps for clear understanding

A) Lets assume that at present you are accessing your webmail by IP. What you have to do is register A record which will point to valid IP of your exchange server. Assume your domain name is ekithump.com so register dns pointer as webmail.ekithump.com which will point to exchange server valid ip address. I assume your internal IP address is nated with public IP and port 80 and 443 is open.
B) Your mail server MX record is pointing to spam gateway let it be as is and no change required in that.
C) Question remains is Valid certificate due to which you are not able to enable active sync so here are two options
a)Install Certificate server on any average configuration system. Nat it with public IP and allow only required ports to this system. Generate certificate request from this server and install it in exchange IIS.
b)Other options is get valid certificate from certificate authority and just install it on exchange IIS. Certificate provider will guide you for required steps. Basically they ask for CSR which is nothing but steps that you had followed as per write-up you had referred. In that give FQDN name as webmail.ekithump.com
0
 
LVL 1

Author Closing Comment

by:Ekithump
ID: 31501144
Excellent - thank you very much - that clears it up 100%. Thanks for spending the time to help me out - much appreciated.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question