Solved

SSL Certificates CA - SonicWall & Exchange

Posted on 2010-11-09
11
1,831 Views
Last Modified: 2012-05-10
We have a customer with a brand new network setup that consists of a SonicWall NSA 240 and Exchange 2010 SP1. Exchange is running off of Windows Server 2008 R2.

I'm quite a bit confused with all of the certificate errors we are receiving in browsers and e-mail clients. Here is a list of when the customer sees certificate errors:

When they access:
Public side of SonicWall
Private side of SonicWall
Public side of Exchange OWA
Private side of Exchange OWA
First time connecting to exchange using POP3 or IMAP4 connections.

I have tried creating a new certificate request in exchange and going into the CA on our DC. From there i select "submit new request". It takes about 10-15minutes for it to issue the request, I export it to a "binary file" and change the extension to a ".cer". When I go to complete the certificate request, it never completes, it takes it with no error message by never changes its status. If I try and import it a second time it gives an error.

On top of all this I'm not confident whatsoever that the request I created in the first place is what I needed. I have read that if the certificate isn't correct for exchange it will break everything.

So my questions are where should I be getting these certificates issued from, should I be going to verisign for public certificate errors, and then use the internal CA for private certificate errors.

When creating the request, I'm not confident about the information I am entering into the wizard. For example:

Should I be using a "wildcard certificate". Their domain is rbiology.local, they only have 1 DC/GC and 1 Exchange server (separate from DC/GC). The exchange server is called rbio-exch.

If I am supposed to use a wildcard, what would I put for "root domain". If I am not supposed to use a wildcard, I can tell that I would at least need: OWA service, Web Services, POP/IMAP, and Hub Transport. But I am unsure if I need any of the other services (theres like 20 of them if you drill down every menu. AND THEN its asking for external host names, and Internal host names which I am even further unsure about.

As you can tell I'm very confused, please help! :)
0
Comment
Question by:ne3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
11 Comments
 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 34097752
You need to get your certs from GoDaddy or Verisign or someone that is certified to give these out. You cannot just create your own and have them trusted. your "self-signed cert" can be added to clients but i would highly recommend you get a cert from godaddy, its who i use.
0
 
LVL 79

Expert Comment

by:arnold
ID: 34097919
For internal use using a local CA is fine.

You can provide the local CA to those who will be accessing and have them add this certificate as trusted.

Like the prior poster, you could purchase the SSL certificates for external use from godaddy or any other entity selling SSL certificates.
0
 

Author Comment

by:ne3
ID: 34097986
Would I need to get 1 certificate for public, and then also get one for private? As in two separate certificates?
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 10

Expert Comment

by:Tyler Laczko
ID: 34098031
when you purchase 1 from godaddy i think they give you 5.

i would recommend just public.
0
 

Author Comment

by:ne3
ID: 34098062
Alright, I wasn't sure if a public certificate could be used for private communication. Are there different types of certificates? Am I going to need one type for OWA, one for SonicWall, one for POP/IMAP4 SSL?
0
 
LVL 79

Expert Comment

by:arnold
ID: 34102939
The purpose of an SSL certificate is for a way to deal with identity verification and encrypting/securing the data that will be transmitted between the client and server.


Yes there are different types of certificates.
In your case the same type applies to the OWA, pop/IMAP SSL as these are identity certificates for the purpose of negotatiating an SSL/TLS connection.

I'm not sure what type of certificate you need on the Sonicwall?  Is the certificate deals with accessing the SonicWAll management interface?  If so, you do not need to buy a certificate since there is no point since only people authorized to access this interface will be using it, the self signed/generated certificate from the SonicWall is enough.

0
 

Author Comment

by:ne3
ID: 34103558
We utilize the SSL VPN connection on the SonicWall. The end user has people around the world that will go to the public side of SonicWall and login to the SSL VPN. Would this utilize the same type of Certificate? It sounds like it would because it is also just an identity verification.
0
 
LVL 79

Expert Comment

by:arnold
ID: 34103967
Yes, SSL VPN will use the same type of certificate.
0
 

Author Comment

by:ne3
ID: 34104414
Thank you so very much for the information, my last question just deals with creating the Exchange Certificate Request.

I am under the assumption this is a required step in getting a godaddy public certificate installed to stop the certificate errors. Are you familiar with the certificate request wizard? It asks questions as follows:

Should I be using a "wildcard certificate". Their domain is rbiology.local, they only have 1 DC/GC and 1 Exchange server (separate from DC/GC). The exchange server is called rbio-exch.

If I am supposed to use a wildcard, what would I put for "root domain". If I am not supposed to use a wildcard, I can tell that I would at least need: OWA service, Web Services, POP/IMAP, and Hub Transport. But I am unsure if I need any of the other services (theres like 20 of them if you drill down every menu. AND THEN its asking for external host names, and Internal host names which I am even further unsure about
0
 
LVL 79

Accepted Solution

by:
arnold earned 500 total points
ID: 34104581
The certificate deals with the way the access will be i.e. if they access it as https://www.theirpublicdomain.com/exchange
the common name you would use is www.theirpublicdomain.com

I'd use the IIS interface to generate the request when complete, you can export the key using the certificate interface from mmc.

http://blogs.msdn.com/b/andrekl/archive/2008/09/24/how-to-generate-a-csr-for-an-iis-website-using-the-windows-vista-server-2008-certificates-mmc-plugin.aspx

To use this certificate with Sonicwall SSL VPN, you would need to use openssl to convert the pfx pckt#12 format into an RSA/DER format that the Sonicwall understands.

The wildcard certificate are more expensive and you have to make sure that the sonicwall can handle wildcard certificates.
i.e. if you need three or four certificates, is their cost equal or larger that a single wildcard certificate that you were looking at.

I have not looked at what you were seeing.

Most of the time the difference in certificate deals with enhanced ID.
I.e. the signer will provide an option for clickable link when followed the vendor's site will say yep, this certificate www.yourpublicdomain.com is issued to Your company name, at this address etc.

From the sounds of it the only thing you are looking for is a simple certificate that get the user through the SSL connection negotiation without alerts that the certificate is from an untrusted source.

If however the access is only by internal folks from the outside, I would go with using an internal CA and have each user add the internal CA's public certificate as trusted.

0
 

Author Closing Comment

by:ne3
ID: 34115866
Thanks for answering all my questions.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question