Solved

Certificate Common Name

Posted on 2008-09-29
6
829 Views
Last Modified: 2012-08-14
I am looking in to using a self published SSL certificate in order that we can start using Exchange ActiveSync at one of our offices. I've read the FAQ at
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
which explains things pretty well, except for one point.

At the point where you choose the certificate common name, the article says you need to pay extra special attention to the common name, as it reflects the FQDN of your mail server. He then adds a note about ISPs often setting the A record.

However, our A record points to our spam/virus/content filtering service, who then forward mail to our mail server by IP, not hostname. We therefore don't have an FQDN for our mail server. At present I have a test device accessing ActiveSync by IP address, and all OWA access is by IP address.

My question therefore is, given that I don't have an FQDN, what should I use as the Certificate Common Name? Does it matter in this context, if all OWA & ActiveSync connections are made using an IP address and not a hostname?

Thanks in advance.
0
Comment
Question by:Ekithump
  • 3
  • 3
6 Comments
 
LVL 7

Expert Comment

by:vikasjus
ID: 22595602
In this case you will have to host your certificate server to internet.
MS ISA will help you in publishing certificate server to internet.
Register different A record which will point to owa and Active sync.
0
 
LVL 1

Author Comment

by:Ekithump
ID: 22595878
Thanks for your reply vikasjus.
We don't run an ISA server, and must admit I don't fancy opening up the Exchange box to any more public exposure than it's already got if I can avoid it.
I take it from your answer that the Certificate Common Name HAS to correspond to an A record FQDN? Is that correct?

0
 
LVL 7

Expert Comment

by:vikasjus
ID: 22595999
No, A record is just pointer which will point to webmail or a. sync of your mail server. It has nothing to do with certificate. FQDN can be your internal host name fqdn but it should be authorised by some one which is certificate server. unless you host your certificate server it will not authenticate ssl request. There are service providers who give certificate at offerdabel cost. check with them.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 1

Author Comment

by:Ekithump
ID: 22597255
Thanks for the reply, however I'm still somewhat confused, so I'll summarise my understanding from what you've said, assuming that I'll be hosting my self published certificate on the Exchange box.

1 Register a new A record that points to the mail server (which is hosting activesync, OWA, certificate, et al)
2 Create the certificate with a Common Name equal to the FQDN of the mail server, even though that FQDN isn't publicly accessible.
3 Install the certificate on the ActiveSync devices
4 Configure ActiveSync devices with the server IP address as before, but using SSL

Does that sound about right?

Re-reading my original question, I see I might have muddied the waters by saying our mail server doesn't have an FQDN - of course it does, it's just not a publicly accessible one.

0
 
LVL 7

Accepted Solution

by:
vikasjus earned 250 total points
ID: 22603061
Some what it is, still go through below steps for clear understanding

A) Lets assume that at present you are accessing your webmail by IP. What you have to do is register A record which will point to valid IP of your exchange server. Assume your domain name is ekithump.com so register dns pointer as webmail.ekithump.com which will point to exchange server valid ip address. I assume your internal IP address is nated with public IP and port 80 and 443 is open.
B) Your mail server MX record is pointing to spam gateway let it be as is and no change required in that.
C) Question remains is Valid certificate due to which you are not able to enable active sync so here are two options
a)Install Certificate server on any average configuration system. Nat it with public IP and allow only required ports to this system. Generate certificate request from this server and install it in exchange IIS.
b)Other options is get valid certificate from certificate authority and just install it on exchange IIS. Certificate provider will guide you for required steps. Basically they ask for CSR which is nothing but steps that you had followed as per write-up you had referred. In that give FQDN name as webmail.ekithump.com
0
 
LVL 1

Author Closing Comment

by:Ekithump
ID: 31501144
Excellent - thank you very much - that clears it up 100%. Thanks for spending the time to help me out - much appreciated.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Imagine a situation that you have installed SSL (http://en.wikipedia.org/wiki/Secure_Sockets_Layer) Certificate on your Cisco ASA (Cisco Adaptive Security Appliance) firewall. Installation of SSL certificate on ASA is an another topic for which you …
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now