How do I create an Exchange SSL certificate for both the public and local FQDN's?
I have a recently installed Exchange 2007 server running SP1 on a 2008 server 64-bit box. I am not the SSL expert, but I purchased a certificate from "instantssl" and got it working for all of my external stuff (OWA and mobile devices via activesync). My problem is that everything internally gets a certificate mismatch error. The problem is the difference between my local FQDN and my public FQDN. For external OWA and mobile devices, they connect to "onename.publicdomain.com"
So my question is, is there a way to get a certificate issued for both the public and local FQDN? If not, I know I can create a local certificate, but how can I apply them both to Exchange. I'm also new to Exchange 07. It seems that through the management shell, you can only apply one certificate thumbprint to Exchange (IIS, IMAP, and POP). Any ideas, oh knowledgeable community?
So my question is, is there a way to get a certificate issued for both the public and local FQDN? If not, I know I can create a local certificate, but how can I apply them both to Exchange. I'm also new to Exchange 07. It seems that through the management shell, you can only apply one certificate thumbprint to Exchange (IIS, IMAP, and POP). Any ideas, oh knowledgeable community?
Paranormastic
https://www.experts-exchange.com/questions/23533787/Exchange-certificate-doesn't-include-internal-DNS-name.html?sfQueryTermInfo=1+certif+exchang+extern+intern
ASKER
Thanks, but that article doesn't really tell me anything I don't already know. It says that if I apply a self-signed certificate to my Exchange services, it will overwrite the public certificate that I bought, which is part of my problem. It mentions that I can apply my public certificate to ISA, then use a self-signed certificate locally, but I don't know how to do that. That's part of the question I asked on this post. Any help with that? Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info. I was actually taking a look at a UCC certificate, but they're about 3 times as much. I am reading through your articles right now, and it looks like using ISA is the solution I'm looking for. I'll see if I can get this deployed. Thanks for your help. If it works, I'll accept your solution.
ASKER
I did not end up using ISA. It seemed like it was going to be more trouble than it was worth. I'm in the process of purchasing a UCC certificate. We did not own our internal .com domain name, but I just purchased it, so I could get the UCC to work.
For anyone else who is having this same problem, I think I did find a way to get this to work without buying a UCC or installing ISA (even though I ended up going with a UCC). I had my general purpose SSL certificate that I purchased installed, and applied to exchange. Then, I tried to apply my self-signed certificate to exchange by using this command in the exchange shell:
Enable-ExchangeCertificate
After applying that, it gave me a message that said something to the effect of "you already have a public certificate installed, this certificate will only work for internal connections" or something like that. But that's exactly what I was looking for. I tested it from the inside, and viola! no more certificate mismatches. Now, I didn't get a chance to test it from the outside before I made a couple more changes, but I'm pretty sure this will work.
Thanks for your help Paranormastic
For anyone else who is having this same problem, I think I did find a way to get this to work without buying a UCC or installing ISA (even though I ended up going with a UCC). I had my general purpose SSL certificate that I purchased installed, and applied to exchange. Then, I tried to apply my self-signed certificate to exchange by using this command in the exchange shell:
Enable-ExchangeCertificate
After applying that, it gave me a message that said something to the effect of "you already have a public certificate installed, this certificate will only work for internal connections" or something like that. But that's exactly what I was looking for. I tested it from the inside, and viola! no more certificate mismatches. Now, I didn't get a chance to test it from the outside before I made a couple more changes, but I'm pretty sure this will work.
Thanks for your help Paranormastic
ASKER
Thanks again for your help. Even though I found the exact solution I was looking for without your help, you still provided me with very useful info, and I'm still awarding you all the points.