Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Certificate Common Name

Posted on 2008-09-29
6
838 Views
Last Modified: 2012-08-14
I am looking in to using a self published SSL certificate in order that we can start using Exchange ActiveSync at one of our offices. I've read the FAQ at
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
which explains things pretty well, except for one point.

At the point where you choose the certificate common name, the article says you need to pay extra special attention to the common name, as it reflects the FQDN of your mail server. He then adds a note about ISPs often setting the A record.

However, our A record points to our spam/virus/content filtering service, who then forward mail to our mail server by IP, not hostname. We therefore don't have an FQDN for our mail server. At present I have a test device accessing ActiveSync by IP address, and all OWA access is by IP address.

My question therefore is, given that I don't have an FQDN, what should I use as the Certificate Common Name? Does it matter in this context, if all OWA & ActiveSync connections are made using an IP address and not a hostname?

Thanks in advance.
0
Comment
Question by:Ekithump
  • 3
  • 3
6 Comments
 
LVL 7

Expert Comment

by:vikasjus
ID: 22595602
In this case you will have to host your certificate server to internet.
MS ISA will help you in publishing certificate server to internet.
Register different A record which will point to owa and Active sync.
0
 
LVL 1

Author Comment

by:Ekithump
ID: 22595878
Thanks for your reply vikasjus.
We don't run an ISA server, and must admit I don't fancy opening up the Exchange box to any more public exposure than it's already got if I can avoid it.
I take it from your answer that the Certificate Common Name HAS to correspond to an A record FQDN? Is that correct?

0
 
LVL 7

Expert Comment

by:vikasjus
ID: 22595999
No, A record is just pointer which will point to webmail or a. sync of your mail server. It has nothing to do with certificate. FQDN can be your internal host name fqdn but it should be authorised by some one which is certificate server. unless you host your certificate server it will not authenticate ssl request. There are service providers who give certificate at offerdabel cost. check with them.
0
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

 
LVL 1

Author Comment

by:Ekithump
ID: 22597255
Thanks for the reply, however I'm still somewhat confused, so I'll summarise my understanding from what you've said, assuming that I'll be hosting my self published certificate on the Exchange box.

1 Register a new A record that points to the mail server (which is hosting activesync, OWA, certificate, et al)
2 Create the certificate with a Common Name equal to the FQDN of the mail server, even though that FQDN isn't publicly accessible.
3 Install the certificate on the ActiveSync devices
4 Configure ActiveSync devices with the server IP address as before, but using SSL

Does that sound about right?

Re-reading my original question, I see I might have muddied the waters by saying our mail server doesn't have an FQDN - of course it does, it's just not a publicly accessible one.

0
 
LVL 7

Accepted Solution

by:
vikasjus earned 250 total points
ID: 22603061
Some what it is, still go through below steps for clear understanding

A) Lets assume that at present you are accessing your webmail by IP. What you have to do is register A record which will point to valid IP of your exchange server. Assume your domain name is ekithump.com so register dns pointer as webmail.ekithump.com which will point to exchange server valid ip address. I assume your internal IP address is nated with public IP and port 80 and 443 is open.
B) Your mail server MX record is pointing to spam gateway let it be as is and no change required in that.
C) Question remains is Valid certificate due to which you are not able to enable active sync so here are two options
a)Install Certificate server on any average configuration system. Nat it with public IP and allow only required ports to this system. Generate certificate request from this server and install it in exchange IIS.
b)Other options is get valid certificate from certificate authority and just install it on exchange IIS. Certificate provider will guide you for required steps. Basically they ask for CSR which is nothing but steps that you had followed as per write-up you had referred. In that give FQDN name as webmail.ekithump.com
0
 
LVL 1

Author Closing Comment

by:Ekithump
ID: 31501144
Excellent - thank you very much - that clears it up 100%. Thanks for spending the time to help me out - much appreciated.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question