• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1887
  • Last Modified:

SSL Certificates CA - SonicWall & Exchange

We have a customer with a brand new network setup that consists of a SonicWall NSA 240 and Exchange 2010 SP1. Exchange is running off of Windows Server 2008 R2.

I'm quite a bit confused with all of the certificate errors we are receiving in browsers and e-mail clients. Here is a list of when the customer sees certificate errors:

When they access:
Public side of SonicWall
Private side of SonicWall
Public side of Exchange OWA
Private side of Exchange OWA
First time connecting to exchange using POP3 or IMAP4 connections.

I have tried creating a new certificate request in exchange and going into the CA on our DC. From there i select "submit new request". It takes about 10-15minutes for it to issue the request, I export it to a "binary file" and change the extension to a ".cer". When I go to complete the certificate request, it never completes, it takes it with no error message by never changes its status. If I try and import it a second time it gives an error.

On top of all this I'm not confident whatsoever that the request I created in the first place is what I needed. I have read that if the certificate isn't correct for exchange it will break everything.

So my questions are where should I be getting these certificates issued from, should I be going to verisign for public certificate errors, and then use the internal CA for private certificate errors.

When creating the request, I'm not confident about the information I am entering into the wizard. For example:

Should I be using a "wildcard certificate". Their domain is rbiology.local, they only have 1 DC/GC and 1 Exchange server (separate from DC/GC). The exchange server is called rbio-exch.

If I am supposed to use a wildcard, what would I put for "root domain". If I am not supposed to use a wildcard, I can tell that I would at least need: OWA service, Web Services, POP/IMAP, and Hub Transport. But I am unsure if I need any of the other services (theres like 20 of them if you drill down every menu. AND THEN its asking for external host names, and Internal host names which I am even further unsure about.

As you can tell I'm very confused, please help! :)
0
ne3
Asked:
ne3
  • 5
  • 4
  • 2
1 Solution
 
Tyler LaczkoCommented:
You need to get your certs from GoDaddy or Verisign or someone that is certified to give these out. You cannot just create your own and have them trusted. your "self-signed cert" can be added to clients but i would highly recommend you get a cert from godaddy, its who i use.
0
 
arnoldCommented:
For internal use using a local CA is fine.

You can provide the local CA to those who will be accessing and have them add this certificate as trusted.

Like the prior poster, you could purchase the SSL certificates for external use from godaddy or any other entity selling SSL certificates.
0
 
ne3Author Commented:
Would I need to get 1 certificate for public, and then also get one for private? As in two separate certificates?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Tyler LaczkoCommented:
when you purchase 1 from godaddy i think they give you 5.

i would recommend just public.
0
 
ne3Author Commented:
Alright, I wasn't sure if a public certificate could be used for private communication. Are there different types of certificates? Am I going to need one type for OWA, one for SonicWall, one for POP/IMAP4 SSL?
0
 
arnoldCommented:
The purpose of an SSL certificate is for a way to deal with identity verification and encrypting/securing the data that will be transmitted between the client and server.


Yes there are different types of certificates.
In your case the same type applies to the OWA, pop/IMAP SSL as these are identity certificates for the purpose of negotatiating an SSL/TLS connection.

I'm not sure what type of certificate you need on the Sonicwall?  Is the certificate deals with accessing the SonicWAll management interface?  If so, you do not need to buy a certificate since there is no point since only people authorized to access this interface will be using it, the self signed/generated certificate from the SonicWall is enough.

0
 
ne3Author Commented:
We utilize the SSL VPN connection on the SonicWall. The end user has people around the world that will go to the public side of SonicWall and login to the SSL VPN. Would this utilize the same type of Certificate? It sounds like it would because it is also just an identity verification.
0
 
arnoldCommented:
Yes, SSL VPN will use the same type of certificate.
0
 
ne3Author Commented:
Thank you so very much for the information, my last question just deals with creating the Exchange Certificate Request.

I am under the assumption this is a required step in getting a godaddy public certificate installed to stop the certificate errors. Are you familiar with the certificate request wizard? It asks questions as follows:

Should I be using a "wildcard certificate". Their domain is rbiology.local, they only have 1 DC/GC and 1 Exchange server (separate from DC/GC). The exchange server is called rbio-exch.

If I am supposed to use a wildcard, what would I put for "root domain". If I am not supposed to use a wildcard, I can tell that I would at least need: OWA service, Web Services, POP/IMAP, and Hub Transport. But I am unsure if I need any of the other services (theres like 20 of them if you drill down every menu. AND THEN its asking for external host names, and Internal host names which I am even further unsure about
0
 
arnoldCommented:
The certificate deals with the way the access will be i.e. if they access it as https://www.theirpublicdomain.com/exchange
the common name you would use is www.theirpublicdomain.com

I'd use the IIS interface to generate the request when complete, you can export the key using the certificate interface from mmc.

http://blogs.msdn.com/b/andrekl/archive/2008/09/24/how-to-generate-a-csr-for-an-iis-website-using-the-windows-vista-server-2008-certificates-mmc-plugin.aspx

To use this certificate with Sonicwall SSL VPN, you would need to use openssl to convert the pfx pckt#12 format into an RSA/DER format that the Sonicwall understands.

The wildcard certificate are more expensive and you have to make sure that the sonicwall can handle wildcard certificates.
i.e. if you need three or four certificates, is their cost equal or larger that a single wildcard certificate that you were looking at.

I have not looked at what you were seeing.

Most of the time the difference in certificate deals with enhanced ID.
I.e. the signer will provide an option for clickable link when followed the vendor's site will say yep, this certificate www.yourpublicdomain.com is issued to Your company name, at this address etc.

From the sounds of it the only thing you are looking for is a simple certificate that get the user through the SSL connection negotiation without alerts that the certificate is from an untrusted source.

If however the access is only by internal folks from the outside, I would go with using an internal CA and have each user add the internal CA's public certificate as trusted.

0
 
ne3Author Commented:
Thanks for answering all my questions.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now