Solved

How do I create an Exchange SSL certificate for both the public and local FQDN's?

Posted on 2008-10-24
6
512 Views
Last Modified: 2012-05-05
I have a recently installed Exchange 2007 server running SP1 on a 2008 server 64-bit box.  I am not the SSL expert, but I purchased a certificate from "instantssl" and got it working for all of my external stuff (OWA and mobile devices via activesync).  My problem is that everything internally gets a certificate mismatch error.  The problem is the difference between my local FQDN and my public FQDN.  For external OWA and mobile devices, they connect to "onename.publicdomain.com".  This is the name that I purchase my SSL certificate for.  So everything outside works great.  However, inside the organization, OWA and Outlook clients connect to othername.localdomain.com.  Notice that not only are the hostnames different, but so are the domain names.  I have setup an A record in my internal DNS to redirect my public FQDN to my inside server IP address, but I still get a name mismatch error.

So my question is, is there a way to get a certificate issued for both the public and local FQDN?  If not, I know I can create a local certificate, but how can I apply them both to Exchange.  I'm also new to Exchange 07.  It seems that through the management shell, you can only apply one certificate thumbprint to Exchange (IIS, IMAP, and POP).  Any ideas, oh knowledgeable community?
0
Comment
Question by:Jake Pratt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 22798051
0
 

Author Comment

by:Jake Pratt
ID: 22798313
Thanks, but that article doesn't really tell me anything I don't already know.  It says that if I apply a self-signed certificate to my Exchange services, it will overwrite the public certificate that I bought, which is part of my problem.  It mentions that I can apply my public certificate to ISA, then use a self-signed certificate locally, but I don't know how to do that.  That's part of the question I asked on this post.  Any help with that?  Thanks.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 22798564
Is the internal domain actually a .com or an internal extension like .local?  If is .com, do you own that .com as well?  If either of these is yes, then you could add those along with the external to a UCC cert - just contact the commercial CA and they can work with you to get one of those set up and apply the price from the original cert to the UCC.

If is .com that you do not own, then you would need to do this through ISA.

For setting up a cert in ISA and self-signed in Exchange:
http://www.isaserver.org/tutorials/Generating-SSL-Certificates-Exchange-2007-ISA-Server-2006.html

For configuring ISA:
http://technet.microsoft.com/en-us/library/aa997148(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb331961(EXCHG.80).aspx

If you need more let me know.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Jake Pratt
ID: 22798681
Thanks for the info.  I was actually taking a look at a UCC certificate, but they're about 3 times as much.  I am reading through your articles right now, and it looks like using ISA is the solution I'm looking for.  I'll see if I can get this deployed.  Thanks for your help.  If it works, I'll accept your solution.
0
 

Author Comment

by:Jake Pratt
ID: 22814304
I did not end up using ISA.  It seemed like it was going to be more trouble than it was worth.  I'm in the process of purchasing a UCC certificate.  We did not own our internal .com domain name, but I just purchased it, so I could get the UCC to work.

For anyone else who is having this same problem, I think I did find a way to get this to work without buying a UCC or installing ISA (even though I ended up going with a UCC).  I had my general purpose SSL certificate that I purchased installed, and applied to exchange.  Then, I tried to apply my self-signed certificate to exchange by using this command in the exchange shell:

Enable-ExchangeCertificate -thumbprint <thumbprint> -services "IIS,SMTP,IMAP,POP"

After applying that, it gave me a message that said something to the effect of "you already have a public certificate installed, this certificate will only work for internal connections" or something like that.  But that's exactly what I was looking for.  I tested it from the inside, and viola! no more certificate mismatches.  Now, I didn't get a chance to test it from the outside before I made a couple more changes, but I'm pretty sure this will work.

Thanks for your help Paranormastic
0
 

Author Closing Comment

by:Jake Pratt
ID: 31509692
Thanks again for your help.  Even though I found the exact solution I was looking for without your help, you still provided me with very useful info, and I'm still awarding you all the points.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question