Solved

Self Signed SAN Certificate for Exchange 2007

Posted on 2008-10-17
15
4,804 Views
Last Modified: 2012-05-05
I really don't desire to spend hundreds of dollars for a one year Certificate and so far I've been unable to find any authoritative source that explains how to use CAS on Server 2008, the Exchane 2007 management shell, and acutal steps to create a san cert for Exchange 2007.  Lot's of interesting theories,and some work and some kind of work..but when it comes to enabling the cert, the cert either can not be found, does not have the key,  or the thumbprint is incorrect.  The error messages from the Exchange 2007 Management Shell are seemingly are only mean something to the guys that wrote the command shell...  What is more interesting is if you use the new-exchangecertificate and the do a get-exchangecertificate, you find that the just created certificate is already in the "store"?
So where does one find how to do this?  Server is setup to be a CAS...
As a side note - MS provided the ability to have a cert server, yet there's little to zero documentation...
Thanks..
mrmom-ron
0
Comment
Question by:MrMom-Ron
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +5
15 Comments
 
LVL 8

Expert Comment

by:DenverRick
ID: 22742721
Windows 2008/Exchange 2007 cannot create a self signed Subject Alternative Names certificate.

GoDaddy sells them for $90/yr for 5 domains, $165 for 10...

Strange your running a couple grand worth of software but don't want to spend nickles and dimes to make it work right...
0
 
LVL 23

Expert Comment

by:Justin Durrant
ID: 22743394
IMO, self signed is not worth the hassle. Spend a few hundred extra for UC\SAN cert.
0
 

Author Comment

by:MrMom-Ron
ID: 22744727
DenverRick and jjdurrant - May I first compliment you on your humor - very funny responses!  I can laugh my way to the bank with these solutions.  However, neither of the solutions resolve my problem.  It has been assumed as to how much I paid for the software (maybe it was part of a kit or maybe it came with the server or maybe it came from a launch event..) as well as assuming that I have unlimited $$$$ to spend.
There is a "solution" for Server 2003 but tagged with Server 2008 and it is not relevant to Server 2008.  Thus I'm still looking for the documentation for producting a san cert for Exchange 2007.
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Author Comment

by:MrMom-Ron
ID: 22744735
Btw--- There are lots and lots of posts about significant issues with "GoDaddy" certificates...hmmm maybe that is why they are so cheap...
0
 
LVL 8

Expert Comment

by:DenverRick
ID: 22744850
I am running GoDaddy UCC certificates on numerous Exchange Orgs, most with multiple mail domains.  Any problems are usually attributable to the Server 2003/2008 Certificate/Private key chain and easily fixed.
0
 
LVL 8

Expert Comment

by:DenverRick
ID: 22744859
Because you will not have a Public Key with any self signed certificate, Outlook and Autodiscover will never work.
0
 
LVL 23

Expert Comment

by:Justin Durrant
ID: 22745071
Broken record here... don't do self-signed. if nothing else, at least setup split DNS with a single domain cert:

http://www.amset.info/exchange/singlenamessl.asp

IMO, single cert is still a pain but you save some money.. but cmon.. how much extra money is your company going to spend considering the time and frustration you will spend with a non UC\SAN cert.

:)

0
 
LVL 23

Expert Comment

by:Justin Durrant
ID: 22745088
PS... if  you are against go daddy, digicert is good.

http://www.digicert.com/ssl-certificate.htm

They even provide the commands you need to generate the CSR.

https://www.digicert.com/easy-csr/exchange2007.htm
0
 
LVL 11

Accepted Solution

by:
NetoMeter Screencasts earned 168 total points
ID: 23082341
There are a lot of myths and a lot of confusion about SSL certificates and their implementation in Exchange 2007.
Let's start with the posts here:
1. UCC or SAN certificates cost a couple of hundred dollars?!?
 
A> You can pay this money for such a certificate or you can be smart enough to Google and find a coupon for GoDaddy UCC cert which makes it cost $60 USD. CetificatesForExchange.com also offers specifically GoDaddy's Exchange 2007 UCC certs for $60 USD.

2. There are issues with GoDaddy certs and that's why they are cheap.

A> GoDaddy certs require you to install first the Intermediate Certs bundle and then your SSL certificate. Most people don't read the installation instructions and jump to the installation of their Certificate which leads to the invalid certificate message. Of course you can fix this and if you are careful and read instructions you shouldn't get into that problem :) . There were problems with Windows Mobile 5 prior to AKU 2 - the root cert for GoDaddy was not included but who is running such a version now?

3. You can not generate self-signed UCC (SAN) certificate.

A> Of course, that is not true. We are publishing a Step-by-Step video about this scenario (actually we are publishing a whole Screencast series for all the 5 Scenarious which you can choose between when you install a SSL cert with Exchange 2007). It is true that the root cert of the issuer is not included in the root trusted authorities on the remote clients/Mobile Devices, hence you have to export it and install it on the clients/mobile devices. That's not difficult and can be automated. If the budget is tight, that's a scenario which I would recommend.

4. Outlook and Autodiscover will not work if you are using Self-Signed certificate or Single name certificate.

A> That's another misconception. It is true that when you replace the original Self-Signed certificate, generated by Exchange installation with a single name certificate (like the GoDaddy TurboSSL cert for $14.99 USD - you get this price when you make a search in Google for SSL cert and follow the provided sponsor's link on top) Outlook 2007 clients start to give you a pop-up error due to autodiscvery service misconfiguration. Naturally, if you go ahead, and configure the SCP (Service Connection Point) Exchange URLs to use the correct address (theone which matches your certificate Common Name) you will avoid this problem. With the Self-signed cert - the domain clients will have it added automatically among the trusted certs (depending on the way you install the CA). Again, for remote clients, you will have to export import it.

5. Outlook Anywhere will not work if you are using a Self-Signed or a single name certificate.

A> Again, we are talking about a problem with Outlook 2007. There a couple of approaches here. The easiest is, configuring a SRV record (if you are running Outlook 2007 SP1). Another solution is using http redirection - this requires a second public IP for Exchange 2007 on the server side. A third one is creating and configuring an XML file for the remote Outlook 2007 clients.


So, to recapitulate - here is the list with the five officially approved by Microsoft approaches about installing SSL certificates with Exchange Server 2007:

1. Using a commercial UCC certificate.
Pro - easy to install, no hassles with remote clients. Con - it costs $60 USD. NOTE!!! If you are planning to implement the UM role you have to use UCC certificate - forget about using a Single name cert.

2. Using a self-signed UCC certificate.
Pro - it's free. Con - administrative overhead (you have to add the issued among the trusted root cert authorities on the remote clients/mobile devices).

3. Using one Single name commercial certificate, with SRV record on the external DNS.
Pro - only $14.99 USD (or free, if you already have one, like you've been using it with the old Exchange 2003, or Web Server and you are planning to export it an use it with the new Exchange 2007) . Con - you have to configure SRV record on the Public DNS server.

4. Using one Single name commercial certificate, with HTTP redirection.
Pro - the same. Con - you need a second public IP for Exchange 2007 server. There is also an annoying popup message on the remote Outlook 2007 clients about being redirected to a secure connection, blah blah which you can tell them to ignore.

5. Using two Single name commercial certificates.
Pro - cheaper than UCC certificate. Con - two public IPs, and is it worthy the hassle for saving $30 USD?

I hope this post was helpful.

regards,

Dean


0
 

Expert Comment

by:abserv
ID: 23203823
I am implementing Exchange 2007 sp1 enterprise in a CCR environment. Microsoft seems to have NO documentation regarding san/ucc SSL *AT ALL*.... On the Exchange team blog I found 3 "recommended" vendors, (youhadmeatehlo) but I cannot find anyting on an "official" microsoft site. What exaclty do I need certs for, aside from the obvious OWA? Can anyone point me to any documentation on an official microsoft site regarding this new type of cert? I am probably going with digicert as the best author I have found, Henrik Walther, recommends them.....

http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html 
0
 

Assisted Solution

by:aimitg
aimitg earned 166 total points
ID: 23685981
I bough a certificate from http://certificateforexchange.com and so far all is working good all you have to do is follow the procedure from the godaddy certificate wich is install the intermediate certificate name.p7b using the certificate mmc console and then import the file.crt usging the import-exchanteCertificate command.
0
 
LVL 1

Expert Comment

by:canuc0
ID: 25029167
Excellent comment from Netometer above! Very helpful
Aimitg - good to hear someone with experience with http://www.certificatesforexchange.com/ (note typo in your post). We're going to go with them, and solve the problem with self signed once and for all! The time and effort spent with self-signed certs costs more than $60/yr! (I think I just convinced myself too!)
0
 

Assisted Solution

by:mvandenberg
mvandenberg earned 166 total points
ID: 25408241
mrmom-ron,

I was dealing with the same issue and apart from money spent, we had to deal with a technical challenge - as the internal domain name being used (historically) is a public one being owned by someone else. Any public CA would (and should) reject such a request. In order to resolve the issue for the time being we opted for a self-signed SAN certicate.

After some research I came acros the following, brilliant article (which proved it is possible):

http://www.exchangeinbox.com/article.aspx?i=127

Following these instructions I had the SAN certificate working in no time. I also exported the certificate on a WM6 device - also working fine.

Cheers,

Mark
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question