can Public SAN certificate work without Exchange 2007 Hostname
We are going to register SAN certificate with Entrust which we will issue to our Exchange 2007 CAS Server. we have registered a domain e.g. domain.com on internet. But internally we use a different domain for AD and Exchange e.g. xyz.com. we have generated the SAN request and sent to Entrust, they are saying that you can't put xyz.com on the SAN certificate becuase it's not registered on your name. I have added all domain names during certificate file generation :
new-exchangecertificate -generaterequest -subjectname "c=india,o=ABC Corp,CN=webmail.domain.com
now the request file has xyz.com entry (internal domain name used in AD). so my question is if i remove xyz.com entries then will my certificate have any problems (internal network or external network) while working on mails e.g. RPC, OWA or Outlook within LAN.
Please suggest.
new-exchangecertificate -generaterequest -subjectname "c=india,o=ABC Corp,CN=webmail.domain.com
now the request file has xyz.com entry (internal domain name used in AD). so my question is if i remove xyz.com entries then will my certificate have any problems (internal network or external network) while working on mails e.g. RPC, OWA or Outlook within LAN.
Please suggest.
futurefiles
It can but i think you will get a warning on the outlook clients if the hostname is not in the SAN. Warning would be displayed every time you open outlook, if i remember correctly
Whatever server has the hub / cas role installed needs to be on the san as a hostname i.e DNS Name=exchange.abc.local
ASKER
in my case we are not using .local but its .com e.g. xyz.com and it's registered by somebody else.
Are you using Public Certificate for do you have issued through internal CA (Microsoft)?
Are you using Public Certificate for do you have issued through internal CA (Microsoft)?
Public from Entrust
why are you using someon elses domain name? your gonna be stuck i think
why are you using someon elses domain name? your gonna be stuck i think
I assume by Entrust you are speaking of their commercial CA service, not their in-house CA product for your own internal certs.
If your internal domain ends in .com and you do not own that .com address, especially if someone else does, then it would not pass their vetting process and they must deny the request in order to maintain their integrity. Otherwise they are certifying that you have rights to that .com, which you do not.
If it was a .local or a secondary .com that you could prove ownership of, then they would not likely have an issue with it. This is one of those cases where technically it is possible, but it would probably not be legal for them to do so.
If your internal domain ends in .com and you do not own that .com address, especially if someone else does, then it would not pass their vetting process and they must deny the request in order to maintain their integrity. Otherwise they are certifying that you have rights to that .com, which you do not.
If it was a .local or a secondary .com that you could prove ownership of, then they would not likely have an issue with it. This is one of those cases where technically it is possible, but it would probably not be legal for them to do so.
ASKER
That's correct. Legally it is not correct to put some other domain in your own domain. But i don't know what's going to happen when users will be accessign mails internally, if I don't put my internal domain name in the certificate.
I also have doubt that certificate message will keep on prompting to users when they will be working on Outlook internally. Have you ever encountered such situation?
I also have doubt that certificate message will keep on prompting to users when they will be working on Outlook internally. Have you ever encountered such situation?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm just checking in on old posts today... Are you still having this issue? If so, please let me know so I can help some more, if not, please close accordingly..