Certificate Common Name

I am looking in to using a self published SSL certificate in order that we can start using Exchange ActiveSync at one of our offices. I've read the FAQ at
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
which explains things pretty well, except for one point.

At the point where you choose the certificate common name, the article says you need to pay extra special attention to the common name, as it reflects the FQDN of your mail server. He then adds a note about ISPs often setting the A record.

However, our A record points to our spam/virus/content filtering service, who then forward mail to our mail server by IP, not hostname. We therefore don't have an FQDN for our mail server. At present I have a test device accessing ActiveSync by IP address, and all OWA access is by IP address.

My question therefore is, given that I don't have an FQDN, what should I use as the Certificate Common Name? Does it matter in this context, if all OWA & ActiveSync connections are made using an IP address and not a hostname?

Thanks in advance.
LVL 1
EkithumpAsked:
Who is Participating?
 
vikasjusCommented:
Some what it is, still go through below steps for clear understanding

A) Lets assume that at present you are accessing your webmail by IP. What you have to do is register A record which will point to valid IP of your exchange server. Assume your domain name is ekithump.com so register dns pointer as webmail.ekithump.com which will point to exchange server valid ip address. I assume your internal IP address is nated with public IP and port 80 and 443 is open.
B) Your mail server MX record is pointing to spam gateway let it be as is and no change required in that.
C) Question remains is Valid certificate due to which you are not able to enable active sync so here are two options
a)Install Certificate server on any average configuration system. Nat it with public IP and allow only required ports to this system. Generate certificate request from this server and install it in exchange IIS.
b)Other options is get valid certificate from certificate authority and just install it on exchange IIS. Certificate provider will guide you for required steps. Basically they ask for CSR which is nothing but steps that you had followed as per write-up you had referred. In that give FQDN name as webmail.ekithump.com
0
 
vikasjusCommented:
In this case you will have to host your certificate server to internet.
MS ISA will help you in publishing certificate server to internet.
Register different A record which will point to owa and Active sync.
0
 
EkithumpAuthor Commented:
Thanks for your reply vikasjus.
We don't run an ISA server, and must admit I don't fancy opening up the Exchange box to any more public exposure than it's already got if I can avoid it.
I take it from your answer that the Certificate Common Name HAS to correspond to an A record FQDN? Is that correct?

0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
vikasjusCommented:
No, A record is just pointer which will point to webmail or a. sync of your mail server. It has nothing to do with certificate. FQDN can be your internal host name fqdn but it should be authorised by some one which is certificate server. unless you host your certificate server it will not authenticate ssl request. There are service providers who give certificate at offerdabel cost. check with them.
0
 
EkithumpAuthor Commented:
Thanks for the reply, however I'm still somewhat confused, so I'll summarise my understanding from what you've said, assuming that I'll be hosting my self published certificate on the Exchange box.

1 Register a new A record that points to the mail server (which is hosting activesync, OWA, certificate, et al)
2 Create the certificate with a Common Name equal to the FQDN of the mail server, even though that FQDN isn't publicly accessible.
3 Install the certificate on the ActiveSync devices
4 Configure ActiveSync devices with the server IP address as before, but using SSL

Does that sound about right?

Re-reading my original question, I see I might have muddied the waters by saying our mail server doesn't have an FQDN - of course it does, it's just not a publicly accessible one.

0
 
EkithumpAuthor Commented:
Excellent - thank you very much - that clears it up 100%. Thanks for spending the time to help me out - much appreciated.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.