Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SSL Certificates CA - SonicWall & Exchange

Posted on 2010-11-09
11
Medium Priority
?
1,867 Views
Last Modified: 2012-05-10
We have a customer with a brand new network setup that consists of a SonicWall NSA 240 and Exchange 2010 SP1. Exchange is running off of Windows Server 2008 R2.

I'm quite a bit confused with all of the certificate errors we are receiving in browsers and e-mail clients. Here is a list of when the customer sees certificate errors:

When they access:
Public side of SonicWall
Private side of SonicWall
Public side of Exchange OWA
Private side of Exchange OWA
First time connecting to exchange using POP3 or IMAP4 connections.

I have tried creating a new certificate request in exchange and going into the CA on our DC. From there i select "submit new request". It takes about 10-15minutes for it to issue the request, I export it to a "binary file" and change the extension to a ".cer". When I go to complete the certificate request, it never completes, it takes it with no error message by never changes its status. If I try and import it a second time it gives an error.

On top of all this I'm not confident whatsoever that the request I created in the first place is what I needed. I have read that if the certificate isn't correct for exchange it will break everything.

So my questions are where should I be getting these certificates issued from, should I be going to verisign for public certificate errors, and then use the internal CA for private certificate errors.

When creating the request, I'm not confident about the information I am entering into the wizard. For example:

Should I be using a "wildcard certificate". Their domain is rbiology.local, they only have 1 DC/GC and 1 Exchange server (separate from DC/GC). The exchange server is called rbio-exch.

If I am supposed to use a wildcard, what would I put for "root domain". If I am not supposed to use a wildcard, I can tell that I would at least need: OWA service, Web Services, POP/IMAP, and Hub Transport. But I am unsure if I need any of the other services (theres like 20 of them if you drill down every menu. AND THEN its asking for external host names, and Internal host names which I am even further unsure about.

As you can tell I'm very confused, please help! :)
0
Comment
Question by:ne3
  • 5
  • 4
  • 2
11 Comments
 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 34097752
You need to get your certs from GoDaddy or Verisign or someone that is certified to give these out. You cannot just create your own and have them trusted. your "self-signed cert" can be added to clients but i would highly recommend you get a cert from godaddy, its who i use.
0
 
LVL 80

Expert Comment

by:arnold
ID: 34097919
For internal use using a local CA is fine.

You can provide the local CA to those who will be accessing and have them add this certificate as trusted.

Like the prior poster, you could purchase the SSL certificates for external use from godaddy or any other entity selling SSL certificates.
0
 

Author Comment

by:ne3
ID: 34097986
Would I need to get 1 certificate for public, and then also get one for private? As in two separate certificates?
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 34098031
when you purchase 1 from godaddy i think they give you 5.

i would recommend just public.
0
 

Author Comment

by:ne3
ID: 34098062
Alright, I wasn't sure if a public certificate could be used for private communication. Are there different types of certificates? Am I going to need one type for OWA, one for SonicWall, one for POP/IMAP4 SSL?
0
 
LVL 80

Expert Comment

by:arnold
ID: 34102939
The purpose of an SSL certificate is for a way to deal with identity verification and encrypting/securing the data that will be transmitted between the client and server.


Yes there are different types of certificates.
In your case the same type applies to the OWA, pop/IMAP SSL as these are identity certificates for the purpose of negotatiating an SSL/TLS connection.

I'm not sure what type of certificate you need on the Sonicwall?  Is the certificate deals with accessing the SonicWAll management interface?  If so, you do not need to buy a certificate since there is no point since only people authorized to access this interface will be using it, the self signed/generated certificate from the SonicWall is enough.

0
 

Author Comment

by:ne3
ID: 34103558
We utilize the SSL VPN connection on the SonicWall. The end user has people around the world that will go to the public side of SonicWall and login to the SSL VPN. Would this utilize the same type of Certificate? It sounds like it would because it is also just an identity verification.
0
 
LVL 80

Expert Comment

by:arnold
ID: 34103967
Yes, SSL VPN will use the same type of certificate.
0
 

Author Comment

by:ne3
ID: 34104414
Thank you so very much for the information, my last question just deals with creating the Exchange Certificate Request.

I am under the assumption this is a required step in getting a godaddy public certificate installed to stop the certificate errors. Are you familiar with the certificate request wizard? It asks questions as follows:

Should I be using a "wildcard certificate". Their domain is rbiology.local, they only have 1 DC/GC and 1 Exchange server (separate from DC/GC). The exchange server is called rbio-exch.

If I am supposed to use a wildcard, what would I put for "root domain". If I am not supposed to use a wildcard, I can tell that I would at least need: OWA service, Web Services, POP/IMAP, and Hub Transport. But I am unsure if I need any of the other services (theres like 20 of them if you drill down every menu. AND THEN its asking for external host names, and Internal host names which I am even further unsure about
0
 
LVL 80

Accepted Solution

by:
arnold earned 2000 total points
ID: 34104581
The certificate deals with the way the access will be i.e. if they access it as https://www.theirpublicdomain.com/exchange
the common name you would use is www.theirpublicdomain.com

I'd use the IIS interface to generate the request when complete, you can export the key using the certificate interface from mmc.

http://blogs.msdn.com/b/andrekl/archive/2008/09/24/how-to-generate-a-csr-for-an-iis-website-using-the-windows-vista-server-2008-certificates-mmc-plugin.aspx

To use this certificate with Sonicwall SSL VPN, you would need to use openssl to convert the pfx pckt#12 format into an RSA/DER format that the Sonicwall understands.

The wildcard certificate are more expensive and you have to make sure that the sonicwall can handle wildcard certificates.
i.e. if you need three or four certificates, is their cost equal or larger that a single wildcard certificate that you were looking at.

I have not looked at what you were seeing.

Most of the time the difference in certificate deals with enhanced ID.
I.e. the signer will provide an option for clickable link when followed the vendor's site will say yep, this certificate www.yourpublicdomain.com is issued to Your company name, at this address etc.

From the sounds of it the only thing you are looking for is a simple certificate that get the user through the SSL connection negotiation without alerts that the certificate is from an untrusted source.

If however the access is only by internal folks from the outside, I would go with using an internal CA and have each user add the internal CA's public certificate as trusted.

0
 

Author Closing Comment

by:ne3
ID: 34115866
Thanks for answering all my questions.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
Steps to fix “Unable to mount database. (hr=0x80004005, ec=1108)”.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question