Solved

Self Signed SAN Certificate for Exchange 2007

Posted on 2008-10-17
15
4,775 Views
Last Modified: 2012-05-05
I really don't desire to spend hundreds of dollars for a one year Certificate and so far I've been unable to find any authoritative source that explains how to use CAS on Server 2008, the Exchane 2007 management shell, and acutal steps to create a san cert for Exchange 2007.  Lot's of interesting theories,and some work and some kind of work..but when it comes to enabling the cert, the cert either can not be found, does not have the key,  or the thumbprint is incorrect.  The error messages from the Exchange 2007 Management Shell are seemingly are only mean something to the guys that wrote the command shell...  What is more interesting is if you use the new-exchangecertificate and the do a get-exchangecertificate, you find that the just created certificate is already in the "store"?
So where does one find how to do this?  Server is setup to be a CAS...
As a side note - MS provided the ability to have a cert server, yet there's little to zero documentation...
Thanks..
mrmom-ron
0
Comment
Question by:MrMom-Ron
  • 3
  • 3
  • 2
  • +5
15 Comments
 
LVL 8

Expert Comment

by:DenverRick
ID: 22742721
Windows 2008/Exchange 2007 cannot create a self signed Subject Alternative Names certificate.

GoDaddy sells them for $90/yr for 5 domains, $165 for 10...

Strange your running a couple grand worth of software but don't want to spend nickles and dimes to make it work right...
0
 
LVL 23

Expert Comment

by:Justin Durrant
ID: 22743394
IMO, self signed is not worth the hassle. Spend a few hundred extra for UC\SAN cert.
0
 

Author Comment

by:MrMom-Ron
ID: 22744727
DenverRick and jjdurrant - May I first compliment you on your humor - very funny responses!  I can laugh my way to the bank with these solutions.  However, neither of the solutions resolve my problem.  It has been assumed as to how much I paid for the software (maybe it was part of a kit or maybe it came with the server or maybe it came from a launch event..) as well as assuming that I have unlimited $$$$ to spend.
There is a "solution" for Server 2003 but tagged with Server 2008 and it is not relevant to Server 2008.  Thus I'm still looking for the documentation for producting a san cert for Exchange 2007.
0
 

Author Comment

by:MrMom-Ron
ID: 22744735
Btw--- There are lots and lots of posts about significant issues with "GoDaddy" certificates...hmmm maybe that is why they are so cheap...
0
 
LVL 8

Expert Comment

by:DenverRick
ID: 22744850
I am running GoDaddy UCC certificates on numerous Exchange Orgs, most with multiple mail domains.  Any problems are usually attributable to the Server 2003/2008 Certificate/Private key chain and easily fixed.
0
 
LVL 8

Expert Comment

by:DenverRick
ID: 22744859
Because you will not have a Public Key with any self signed certificate, Outlook and Autodiscover will never work.
0
 
LVL 23

Expert Comment

by:Justin Durrant
ID: 22745071
Broken record here... don't do self-signed. if nothing else, at least setup split DNS with a single domain cert:

http://www.amset.info/exchange/singlenamessl.asp

IMO, single cert is still a pain but you save some money.. but cmon.. how much extra money is your company going to spend considering the time and frustration you will spend with a non UC\SAN cert.

:)

0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 23

Expert Comment

by:Justin Durrant
ID: 22745088
PS... if  you are against go daddy, digicert is good.

http://www.digicert.com/ssl-certificate.htm

They even provide the commands you need to generate the CSR.

https://www.digicert.com/easy-csr/exchange2007.htm
0
 
LVL 11

Accepted Solution

by:
NetoMeter Screencasts earned 168 total points
ID: 23082341
There are a lot of myths and a lot of confusion about SSL certificates and their implementation in Exchange 2007.
Let's start with the posts here:
1. UCC or SAN certificates cost a couple of hundred dollars?!?
 
A> You can pay this money for such a certificate or you can be smart enough to Google and find a coupon for GoDaddy UCC cert which makes it cost $60 USD. CetificatesForExchange.com also offers specifically GoDaddy's Exchange 2007 UCC certs for $60 USD.

2. There are issues with GoDaddy certs and that's why they are cheap.

A> GoDaddy certs require you to install first the Intermediate Certs bundle and then your SSL certificate. Most people don't read the installation instructions and jump to the installation of their Certificate which leads to the invalid certificate message. Of course you can fix this and if you are careful and read instructions you shouldn't get into that problem :) . There were problems with Windows Mobile 5 prior to AKU 2 - the root cert for GoDaddy was not included but who is running such a version now?

3. You can not generate self-signed UCC (SAN) certificate.

A> Of course, that is not true. We are publishing a Step-by-Step video about this scenario (actually we are publishing a whole Screencast series for all the 5 Scenarious which you can choose between when you install a SSL cert with Exchange 2007). It is true that the root cert of the issuer is not included in the root trusted authorities on the remote clients/Mobile Devices, hence you have to export it and install it on the clients/mobile devices. That's not difficult and can be automated. If the budget is tight, that's a scenario which I would recommend.

4. Outlook and Autodiscover will not work if you are using Self-Signed certificate or Single name certificate.

A> That's another misconception. It is true that when you replace the original Self-Signed certificate, generated by Exchange installation with a single name certificate (like the GoDaddy TurboSSL cert for $14.99 USD - you get this price when you make a search in Google for SSL cert and follow the provided sponsor's link on top) Outlook 2007 clients start to give you a pop-up error due to autodiscvery service misconfiguration. Naturally, if you go ahead, and configure the SCP (Service Connection Point) Exchange URLs to use the correct address (theone which matches your certificate Common Name) you will avoid this problem. With the Self-signed cert - the domain clients will have it added automatically among the trusted certs (depending on the way you install the CA). Again, for remote clients, you will have to export import it.

5. Outlook Anywhere will not work if you are using a Self-Signed or a single name certificate.

A> Again, we are talking about a problem with Outlook 2007. There a couple of approaches here. The easiest is, configuring a SRV record (if you are running Outlook 2007 SP1). Another solution is using http redirection - this requires a second public IP for Exchange 2007 on the server side. A third one is creating and configuring an XML file for the remote Outlook 2007 clients.


So, to recapitulate - here is the list with the five officially approved by Microsoft approaches about installing SSL certificates with Exchange Server 2007:

1. Using a commercial UCC certificate.
Pro - easy to install, no hassles with remote clients. Con - it costs $60 USD. NOTE!!! If you are planning to implement the UM role you have to use UCC certificate - forget about using a Single name cert.

2. Using a self-signed UCC certificate.
Pro - it's free. Con - administrative overhead (you have to add the issued among the trusted root cert authorities on the remote clients/mobile devices).

3. Using one Single name commercial certificate, with SRV record on the external DNS.
Pro - only $14.99 USD (or free, if you already have one, like you've been using it with the old Exchange 2003, or Web Server and you are planning to export it an use it with the new Exchange 2007) . Con - you have to configure SRV record on the Public DNS server.

4. Using one Single name commercial certificate, with HTTP redirection.
Pro - the same. Con - you need a second public IP for Exchange 2007 server. There is also an annoying popup message on the remote Outlook 2007 clients about being redirected to a secure connection, blah blah which you can tell them to ignore.

5. Using two Single name commercial certificates.
Pro - cheaper than UCC certificate. Con - two public IPs, and is it worthy the hassle for saving $30 USD?

I hope this post was helpful.

regards,

Dean


0
 

Expert Comment

by:abserv
ID: 23203823
I am implementing Exchange 2007 sp1 enterprise in a CCR environment. Microsoft seems to have NO documentation regarding san/ucc SSL *AT ALL*.... On the Exchange team blog I found 3 "recommended" vendors, (youhadmeatehlo) but I cannot find anyting on an "official" microsoft site. What exaclty do I need certs for, aside from the obvious OWA? Can anyone point me to any documentation on an official microsoft site regarding this new type of cert? I am probably going with digicert as the best author I have found, Henrik Walther, recommends them.....

http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html
0
 

Expert Comment

by:abserv
ID: 23205589
0
 

Assisted Solution

by:aimitg
aimitg earned 166 total points
ID: 23685981
I bough a certificate from http://certificateforexchange.com and so far all is working good all you have to do is follow the procedure from the godaddy certificate wich is install the intermediate certificate name.p7b using the certificate mmc console and then import the file.crt usging the import-exchanteCertificate command.
0
 
LVL 1

Expert Comment

by:canuc0
ID: 25029167
Excellent comment from Netometer above! Very helpful
Aimitg - good to hear someone with experience with http://www.certificatesforexchange.com/ (note typo in your post). We're going to go with them, and solve the problem with self signed once and for all! The time and effort spent with self-signed certs costs more than $60/yr! (I think I just convinced myself too!)
0
 

Assisted Solution

by:mvandenberg
mvandenberg earned 166 total points
ID: 25408241
mrmom-ron,

I was dealing with the same issue and apart from money spent, we had to deal with a technical challenge - as the internal domain name being used (historically) is a public one being owned by someone else. Any public CA would (and should) reject such a request. In order to resolve the issue for the time being we opted for a self-signed SAN certicate.

After some research I came acros the following, brilliant article (which proved it is possible):

http://www.exchangeinbox.com/article.aspx?i=127

Following these instructions I had the SAN certificate working in no time. I also exported the certificate on a WM6 device - also working fine.

Cheers,

Mark
0

Featured Post

How does your email signature look on mobiles?

Do your employees use mobile devices to reply to emails? With mobile becoming increasingly important to the business world, it is in your best interest to make sure that your email signature looks great across all types of devices.

Join & Write a Comment

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now