Link to home
Start Free TrialLog in
Avatar of bhgewilson
bhgewilsonFlag for United States of America

asked on

What SAN do I need

My domain name is
dolphinteac.com

My server name is ad-svr.dt.local
My MX record will be mail.dolphinteac.com

I think my common name should be mail.dolphinteac.com
Should my san be

ad-svr.dt.local
ad-svr
autodiscover.dolphinteac.com
autodiscover.dt.local
Avatar of hudsonm
hudsonm
Flag of India image

You'll need the OWA URL (mail.dolphinteac.com), autodiscover URL (autodiscover.dolphinteac.com), internal FQDN of the Exchange server (ad-svr.dt.local). You dont need netbios names in your SAN's, neither do you need autodiscover.dt.local.

Are you using the Exchange management shell to create your certificate request or are you going about this directly on your certificate authority's website?
I have to disagree with the above about not having the NETBIOS name in the certificate. It can cause problems if it is not in there. If you are using UM it must be in there, if it isn't then Exchange simply generates a self signed certificate.

You do not need autodiscover.domain.local.

I have instructions on the full process here:
http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

Simon.
Avatar of bhgewilson

ASKER

I have been working on this for a while.  I did do the netbios name and I have outlook working with local servername.  Now OWA is stalling.  I tried to go into enable-exchangecertificate and put in thumbprint.  This tells me that the thumbprint can not be found.  

"the certificate with thumbprint "XXX" was not found.
Line1 Char27.

I have the right SAN names but I fear that I need to disable and re-enable a cert and I am not sure how.
You have bought the certificate and installed it?
If you do get-exchangecertificate it will show you the current installed certificates and the thumbprint of them.

Simon.
Yes I tried two different things.

1- I tried to import it and I got the message that it can not import as there is already a certificate with thumbprint 4afn........
and fails

2- I tried get-exchange certificate and show full and it does not show this thumbprint.

3- I tried to enable all certificates in get-exchange and it only works on the server netbios name.  The thumbprint it shows in import should be able to enable also right?

Brad
Lets just be clear here.
You generated the request, sent it to the provider.
The provider returned the certificate and you then ran the import command?

At that point if you run get-exchangecertificate, the new certificate should show with no services next to it.

The thumbprint changes from what you have received from the certificate provider to what is installed in Exchange.

If you run get-exchangecertificate |fl it will show you the complete list, which includes who issued the certificate.

Simon.
import-exchangecertificate -path "C:\certpath\mail.domain.com.crt"
I receive a message stating "cannot import as there is already a thumbprint with the certificate 4af9.....

From there I hit get-exchangecertificate |fl

I get all are invalid except the very last one.  

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {ad-svr, ad-svr.cltped.local}
HasPrivateKey      : True
IsSelfSigned       : True
Issuer             : CN=ad-svr
NotAfter           : 8/21/2010 3:06:29 PM
NotBefore          : 8/21/2009 3:06:29 PM
PublicKeySize      : 2048
RootCAType         : None
SerialNumber       : 33275464697AD39F4B17BF95DE620D27
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=ad-svr
Thumbprint         : 91042B6A0008A31EFEDA9D59F9B352698AFEAD18

Now should my actual certificate be there listed with mail.domain.com and netbios.domain.local

What gives.

here is a show of my digicert generated csr.

New-ExchangeCertificate -GenerateRequest -Path c:\mail_cltpediatricdentistry_com.csr -KeySize 1024 -SubjectName "c=US, s=NC, l=Charlotte, o=, cn=mail.cltpediatricdentistry.com" -DomainName autodiscover.cltpediatricdentistry.com, autodiscover.cltped.local, ad-svr.cltped.local, ad-svr -PrivateKeyExportable $True

ASKER CERTIFIED SOLUTION
Avatar of Mestha
Mestha
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial