Solved

SSL Certificates CA - SonicWall & Exchange

Posted on 2010-11-09
11
1,770 Views
Last Modified: 2012-05-10
We have a customer with a brand new network setup that consists of a SonicWall NSA 240 and Exchange 2010 SP1. Exchange is running off of Windows Server 2008 R2.

I'm quite a bit confused with all of the certificate errors we are receiving in browsers and e-mail clients. Here is a list of when the customer sees certificate errors:

When they access:
Public side of SonicWall
Private side of SonicWall
Public side of Exchange OWA
Private side of Exchange OWA
First time connecting to exchange using POP3 or IMAP4 connections.

I have tried creating a new certificate request in exchange and going into the CA on our DC. From there i select "submit new request". It takes about 10-15minutes for it to issue the request, I export it to a "binary file" and change the extension to a ".cer". When I go to complete the certificate request, it never completes, it takes it with no error message by never changes its status. If I try and import it a second time it gives an error.

On top of all this I'm not confident whatsoever that the request I created in the first place is what I needed. I have read that if the certificate isn't correct for exchange it will break everything.

So my questions are where should I be getting these certificates issued from, should I be going to verisign for public certificate errors, and then use the internal CA for private certificate errors.

When creating the request, I'm not confident about the information I am entering into the wizard. For example:

Should I be using a "wildcard certificate". Their domain is rbiology.local, they only have 1 DC/GC and 1 Exchange server (separate from DC/GC). The exchange server is called rbio-exch.

If I am supposed to use a wildcard, what would I put for "root domain". If I am not supposed to use a wildcard, I can tell that I would at least need: OWA service, Web Services, POP/IMAP, and Hub Transport. But I am unsure if I need any of the other services (theres like 20 of them if you drill down every menu. AND THEN its asking for external host names, and Internal host names which I am even further unsure about.

As you can tell I'm very confused, please help! :)
0
Comment
Question by:ne3
  • 5
  • 4
  • 2
11 Comments
 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 34097752
You need to get your certs from GoDaddy or Verisign or someone that is certified to give these out. You cannot just create your own and have them trusted. your "self-signed cert" can be added to clients but i would highly recommend you get a cert from godaddy, its who i use.
0
 
LVL 76

Expert Comment

by:arnold
ID: 34097919
For internal use using a local CA is fine.

You can provide the local CA to those who will be accessing and have them add this certificate as trusted.

Like the prior poster, you could purchase the SSL certificates for external use from godaddy or any other entity selling SSL certificates.
0
 

Author Comment

by:ne3
ID: 34097986
Would I need to get 1 certificate for public, and then also get one for private? As in two separate certificates?
0
 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 34098031
when you purchase 1 from godaddy i think they give you 5.

i would recommend just public.
0
 

Author Comment

by:ne3
ID: 34098062
Alright, I wasn't sure if a public certificate could be used for private communication. Are there different types of certificates? Am I going to need one type for OWA, one for SonicWall, one for POP/IMAP4 SSL?
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 76

Expert Comment

by:arnold
ID: 34102939
The purpose of an SSL certificate is for a way to deal with identity verification and encrypting/securing the data that will be transmitted between the client and server.


Yes there are different types of certificates.
In your case the same type applies to the OWA, pop/IMAP SSL as these are identity certificates for the purpose of negotatiating an SSL/TLS connection.

I'm not sure what type of certificate you need on the Sonicwall?  Is the certificate deals with accessing the SonicWAll management interface?  If so, you do not need to buy a certificate since there is no point since only people authorized to access this interface will be using it, the self signed/generated certificate from the SonicWall is enough.

0
 

Author Comment

by:ne3
ID: 34103558
We utilize the SSL VPN connection on the SonicWall. The end user has people around the world that will go to the public side of SonicWall and login to the SSL VPN. Would this utilize the same type of Certificate? It sounds like it would because it is also just an identity verification.
0
 
LVL 76

Expert Comment

by:arnold
ID: 34103967
Yes, SSL VPN will use the same type of certificate.
0
 

Author Comment

by:ne3
ID: 34104414
Thank you so very much for the information, my last question just deals with creating the Exchange Certificate Request.

I am under the assumption this is a required step in getting a godaddy public certificate installed to stop the certificate errors. Are you familiar with the certificate request wizard? It asks questions as follows:

Should I be using a "wildcard certificate". Their domain is rbiology.local, they only have 1 DC/GC and 1 Exchange server (separate from DC/GC). The exchange server is called rbio-exch.

If I am supposed to use a wildcard, what would I put for "root domain". If I am not supposed to use a wildcard, I can tell that I would at least need: OWA service, Web Services, POP/IMAP, and Hub Transport. But I am unsure if I need any of the other services (theres like 20 of them if you drill down every menu. AND THEN its asking for external host names, and Internal host names which I am even further unsure about
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
ID: 34104581
The certificate deals with the way the access will be i.e. if they access it as https://www.theirpublicdomain.com/exchange
the common name you would use is www.theirpublicdomain.com

I'd use the IIS interface to generate the request when complete, you can export the key using the certificate interface from mmc.

http://blogs.msdn.com/b/andrekl/archive/2008/09/24/how-to-generate-a-csr-for-an-iis-website-using-the-windows-vista-server-2008-certificates-mmc-plugin.aspx

To use this certificate with Sonicwall SSL VPN, you would need to use openssl to convert the pfx pckt#12 format into an RSA/DER format that the Sonicwall understands.

The wildcard certificate are more expensive and you have to make sure that the sonicwall can handle wildcard certificates.
i.e. if you need three or four certificates, is their cost equal or larger that a single wildcard certificate that you were looking at.

I have not looked at what you were seeing.

Most of the time the difference in certificate deals with enhanced ID.
I.e. the signer will provide an option for clickable link when followed the vendor's site will say yep, this certificate www.yourpublicdomain.com is issued to Your company name, at this address etc.

From the sounds of it the only thing you are looking for is a simple certificate that get the user through the SSL connection negotiation without alerts that the certificate is from an untrusted source.

If however the access is only by internal folks from the outside, I would go with using an internal CA and have each user add the internal CA's public certificate as trusted.

0
 

Author Closing Comment

by:ne3
ID: 34115866
Thanks for answering all my questions.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now