Solved

Certificate Common Name

Posted on 2008-09-29
6
824 Views
Last Modified: 2012-08-14
I am looking in to using a self published SSL certificate in order that we can start using Exchange ActiveSync at one of our offices. I've read the FAQ at
http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html
which explains things pretty well, except for one point.

At the point where you choose the certificate common name, the article says you need to pay extra special attention to the common name, as it reflects the FQDN of your mail server. He then adds a note about ISPs often setting the A record.

However, our A record points to our spam/virus/content filtering service, who then forward mail to our mail server by IP, not hostname. We therefore don't have an FQDN for our mail server. At present I have a test device accessing ActiveSync by IP address, and all OWA access is by IP address.

My question therefore is, given that I don't have an FQDN, what should I use as the Certificate Common Name? Does it matter in this context, if all OWA & ActiveSync connections are made using an IP address and not a hostname?

Thanks in advance.
0
Comment
Question by:Ekithump
  • 3
  • 3
6 Comments
 
LVL 7

Expert Comment

by:vikasjus
ID: 22595602
In this case you will have to host your certificate server to internet.
MS ISA will help you in publishing certificate server to internet.
Register different A record which will point to owa and Active sync.
0
 
LVL 1

Author Comment

by:Ekithump
ID: 22595878
Thanks for your reply vikasjus.
We don't run an ISA server, and must admit I don't fancy opening up the Exchange box to any more public exposure than it's already got if I can avoid it.
I take it from your answer that the Certificate Common Name HAS to correspond to an A record FQDN? Is that correct?

0
 
LVL 7

Expert Comment

by:vikasjus
ID: 22595999
No, A record is just pointer which will point to webmail or a. sync of your mail server. It has nothing to do with certificate. FQDN can be your internal host name fqdn but it should be authorised by some one which is certificate server. unless you host your certificate server it will not authenticate ssl request. There are service providers who give certificate at offerdabel cost. check with them.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Ekithump
ID: 22597255
Thanks for the reply, however I'm still somewhat confused, so I'll summarise my understanding from what you've said, assuming that I'll be hosting my self published certificate on the Exchange box.

1 Register a new A record that points to the mail server (which is hosting activesync, OWA, certificate, et al)
2 Create the certificate with a Common Name equal to the FQDN of the mail server, even though that FQDN isn't publicly accessible.
3 Install the certificate on the ActiveSync devices
4 Configure ActiveSync devices with the server IP address as before, but using SSL

Does that sound about right?

Re-reading my original question, I see I might have muddied the waters by saying our mail server doesn't have an FQDN - of course it does, it's just not a publicly accessible one.

0
 
LVL 7

Accepted Solution

by:
vikasjus earned 250 total points
ID: 22603061
Some what it is, still go through below steps for clear understanding

A) Lets assume that at present you are accessing your webmail by IP. What you have to do is register A record which will point to valid IP of your exchange server. Assume your domain name is ekithump.com so register dns pointer as webmail.ekithump.com which will point to exchange server valid ip address. I assume your internal IP address is nated with public IP and port 80 and 443 is open.
B) Your mail server MX record is pointing to spam gateway let it be as is and no change required in that.
C) Question remains is Valid certificate due to which you are not able to enable active sync so here are two options
a)Install Certificate server on any average configuration system. Nat it with public IP and allow only required ports to this system. Generate certificate request from this server and install it in exchange IIS.
b)Other options is get valid certificate from certificate authority and just install it on exchange IIS. Certificate provider will guide you for required steps. Basically they ask for CSR which is nothing but steps that you had followed as per write-up you had referred. In that give FQDN name as webmail.ekithump.com
0
 
LVL 1

Author Closing Comment

by:Ekithump
ID: 31501144
Excellent - thank you very much - that clears it up 100%. Thanks for spending the time to help me out - much appreciated.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now