Solved

can Public SAN certificate work without Exchange 2007 Hostname

Posted on 2008-10-23
9
246 Views
Last Modified: 2012-05-05
We are going to register SAN certificate with Entrust which we will issue to our Exchange 2007 CAS Server. we have registered a domain e.g. domain.com on internet. But internally we use a different domain for AD and Exchange e.g. xyz.com. we have generated the SAN request and sent to Entrust, they are saying that you can't put xyz.com on the SAN certificate becuase it's not registered on your name. I have added all domain names during certificate file generation :

new-exchangecertificate -generaterequest -subjectname "c=india,o=ABC Corp,CN=webmail.domain.com" -domainname webmail.domain.com,autodiscover.domain.com,cas01.xyz.com,cas01 -Friendlyname "ABC Mail Certificate" -path c:\certreq.txt -privatekeyexportable:$true

now the request file has xyz.com entry (internal domain name used in AD). so my question is if i remove xyz.com entries then will my certificate have any problems (internal network or external network) while working on mails e.g. RPC, OWA or Outlook within LAN.

Please suggest.
0
Comment
Question by:fextech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
9 Comments
 
LVL 4

Expert Comment

by:futurefiles
ID: 22788797
It can but i think you will get a warning on the outlook clients if the hostname is not in the SAN. Warning would be displayed every time you open outlook, if i remember correctly
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22788821
Whatever server has the hub / cas role installed needs to be on the san as a hostname i.e DNS Name=exchange.abc.local
0
 

Author Comment

by:fextech
ID: 22788843
in my case we are not using .local but its .com e.g. xyz.com and it's registered by somebody else.
Are you using Public Certificate for do you have issued through internal CA (Microsoft)?
0
Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

 
LVL 4

Expert Comment

by:futurefiles
ID: 22789006
Public from Entrust
why are you using someon elses domain name? your gonna be stuck i think
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22789522
I assume by Entrust you are speaking of their commercial CA service, not their in-house CA product for your own internal certs.

If your internal domain ends in .com and you do not own that .com address, especially if someone else does, then it would not pass their vetting process and they must deny the request in order to maintain their integrity.  Otherwise they are certifying that you have rights to that .com, which you do not.

If it was a .local or a secondary .com that you could prove ownership of, then they would not likely have an issue with it.  This is one of those cases where technically it is possible, but it would probably not be legal for them to do so.
0
 

Author Comment

by:fextech
ID: 22802053
That's correct. Legally it is not correct to put some other domain in your own domain. But i don't know what's going to happen when users will be accessign mails internally, if I don't put my internal domain name in the certificate.

I also have doubt that certificate message will keep on prompting to users when they will be working on Outlook internally. Have you ever encountered such situation?
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 22811998
If they try accessing it securely and the name is not there, it will always generate a warning.  If they accept it then it willbe secured, but they will get prompted each time they log in to check their mail.

Depending on your security requirements, you might be able to get away with having unsecured connections across the LAN.  This is all up to your corporate security policy.  

If you cannot do this, then I would recommend looking into getting your improperly setup internal domain name migrated to a proper .local domain.  Here are a few links in this area - be aware of whatever apps you are running and how migration might affect them:

Windows Server 2003 Active Directory Domain Rename Tools
http://www.microsoft.com/technet/downloads/winsrvr/domainrename.mspx

Microsoft Exchange Server Domain Rename Fixup (XDR-Fixup)
http://www.microsoft.com/downloads/details.aspx?familyid=24b47d4a-c4b9-4031-b491-29839148a28c&displaylang=en

Rename a Windows 2003 Forest with Exchange 2003 installed
http://www.msexchange.org/tutorials/Domain-Rename.html
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24061573
I'm just checking in on old posts today... Are you still having this issue?  If so, please let me know so I can help some more, if not, please close accordingly..
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question