How can I properly request a SSL certificate for internal domain

SSEHelpDesk
SSEHelpDesk used Ask the Experts™
on
I need a SSL certifcate for my Windows 2003 domain controller and exchange server for LDAPS and POP3S communication with the company that provides our email archiving.  I've requested the SSL certificate using the CN name of my domain controller.  The problem is that our internal domain name has the same name of a registered public domain.  Is there a way to make this work without renaming my internal domain?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Expert of the Quarter 2009
Expert of the Year 2009
Commented:
If it is for external traffic then you request it for the common name of whatever the server is referenced on the internet.
So if the remote site is connecting to your server as mail.example.com then that is what you ask for the certificate. The real name of the server doesn't matter. As long as it resolves to what is expected then that is all that is required.

Simon.
Dave HoweSoftware and Hardware Engineer

Commented:
your best bet is to manipulate the fact you are in fact using an internal domain, and issue your own certificate, for free.

that is easy, but gives you the corresponding issue that the user's machines won't by default accept a certificate signed by you - but given you control the user's machines also, it is not difficult to push out a CA certificate to all workstations so that it *will* be accepted. you can do this via group policy, login script, or any remote technology you happen to have (at its heart, a certificate is just a registry key in windows)

Author

Commented:
There is no common name for my domain controller on the Internet though.  It's an internal server, and I need to open LDAPS port on my firewall for them to access this server with LDAPS by it's public IP address.  My exchange server can be accessed externally, and I could use that, but I was told that the fqdn of the domain controller is what the cn name needs to be.
 This will not be used for any workstations on my internal network.  It's for communication with our 3rd party mail archiving solution.  Thanks.
Dave HoweSoftware and Hardware Engineer
Commented:
well, in that case the certificate should match your external name, not the internal one.

if you need this to work internally too, create a second ldaps listener (on a second IP) and give that an internal certificate.

Author

Commented:
The external domain name we use is completely different from the internal domain, so this won't work for my DC.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial