More than one certificate / More than one domain

This is a problem that I was reminded of today when my self-signed security certificate expired.

I have a MS Exchange 2007 environment on a Windows 2008 server.  When Exchange was installed, and initially configured, it came up with the standard self-signed certificate.  We have been running on that for a year with only one problem.  When the users access their mail through OWA, they receive a certificate error.

Is it possible to have two domains referenced in a self-signed certificate? (servername.internaldomain.local, mail.externaldomain.com)

If so, what is the process to get there?  I had to use the Exchange Managment Shell today to get the thumbprint, create a new cert thumbprint, and enable the IIS service (after verifying the others were listed.  That process uses all the existing information.  

Is there a similar process that will allow me to have both "domains" in the certificate without having to go out and pay a third party?

Thanks.
LVL 1
tcampbell_ncAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FirstSentinelCommented:
Run to different IP's on the server.  Assign  dns mx records to each IP.     PTR (reverse lookup record to each IP)

Visit a free SSL certificate authority such as CA CERT
sign up both domains & issues your own certificates. (They provide step by step instructions)

Set up IIS with separate URL or Separate re directors to the correct address to OWA
Assign your certs

Voila!

If you assign an internal SSLcert.  You will have to build an internal cert authority.  (Lotta trouble)
But if you have both your domain FQDN registered, then CACert give you REAL SSL certificates.
For Browser Clients to use the new Root Authority see this link:
CA CERT add to Browser Clients
tcampbell_ncAuthor Commented:
I am sorry, but that does not answer my question.

My question is:

Can I assign an internal and external domain to a single self-signed certificate to prevent these OWA certificate errors.  I don't want to have to do a back-flip with multiple IP addresses, and redirectors, and DNS changes, (etc.)

From my limited knowledge, I have seen where to use the shell's "New-ExchangeCertificate" command that allows you to include multiple domains.  This command, from what I have read, generates a file that you send to a third party certifcate provider.  I want to know if I can use that command, or some similar command, to generate a new certificate that contains multiple domains.

Thanks
Fingo11Commented:
Providing a SAN (Subject Alternative Name) on a certificate generated by a public authority will give you the ability to use both domain names such as domain.com and domain.local making both names valid on the certifiate.  The problem with a self signed certificate is that it is self signed and not recognized by anyone accessing the server from outside your domain.  You can save yourself some grief by just spending the 40 bucks or so to hget a certifiacte from GoDaddy or somewhere else that includes your internal domain name as well as the external name.  I ran into the same issue setting up Remote Desktop Services with RemoteApps.

Hope this helps!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

tcampbell_ncAuthor Commented:
We are getting closer here.

I understand your comments regarding self-signed certificates (not recognized by anyone from outside).  

In this case, the server is behind a PIX Firewall, controls the firm's document management and is the Exchange server.  I really do not care if anyone outside the firm can access the server.  The mail is directed in from a third party SPAM / Virus filtering service, so our MX records point to them.  Our website is hosted off-site.  The only thing that needs access to the server from off the network are the attorneys wanting to access their mail through OWA. When the do, they get a certificate error since the outside and inside domains do not match.

So, is there any REAL disadvantage to using a self-signed certificate?

I am aware that a SAN will give me the ability to certificate multiple domains, but will a self-signed certificate allow me to do so?

Thanks
FirstSentinelCommented:
This solution is for installing a cert , the outside works but the internal users was getting invalid security certificate

first you need to look this:
http://support.microsoft.com/kb/940726

And you can read here more:
http://social.technet.microsoft.com/...7f703f/#page:2

Then do this:

First you create a new DNS zone in your DNS server using the address
configured in your commercial certificate, lets say: mail.superattorney.com

Then you create a Host (A) type to point to your mail server´s IP :
mail.superattorney.com 192.168.0.5
Then you just change the following values thru the Exchange shell console:
Set-ClientAccessServer -Identity CAS_Server_Name
-AutodiscoverServiceInternalUri
https://mail.superattorney.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web
Site)" -InternalUrl https://mail.superattorney.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)"
-InternalUrl https://mail.superattorney.com/oab

Set-UMVirtualDirectory -Identity "CAS_Server_Name\unifiedmessaging (Default
Web Site)" -InternalUrl
https://mail.superattorney.com/unifiedmessaging/service.asmx

*please note that you must change: "CAS_Server_Name" to your exchange server
name and mail.superattorney.com with the correct address.
AkhaterSolutions ArchitectCommented:
you can for sure generate a self-signed certificate by running

New-ExchangeCertificate -domainname mail.domain.com,servername.domain.local -FriendlyName mail.domain.com

However this will not solve the error problem you are getting, the issue is that the root CA that issued the certificate is not trusted by the users trying to get OWA.

To solve this owa issue you could

1. Buy a certificate will solve all your problems (obviously you don't want this)
2. Install your own CA internally and issue the exchange certificate from your internal CA this will solve the problem for all computers that are joined to the domain, for the rest you will still need to install the root CA in the trusted authorities (totally free)
3. install the self signed certificate of exchange on all your clients
tcampbell_ncAuthor Commented:
I have not said that I do not want to buy a certificate (I don't think).  I have simply asked if I can accomplish my goal with the self-signed certificate.  Our OWA users get the following error:

*******
There is a problem with this website's security certificate.
   
The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
********

As a test, I tried your number 3, and it gets rid of the message above, but the URL still shows red, and there is still a "Certificate Error" indicator.

If we need to purchase a 3rd party certificate, then that is fine.  I am just trying to get the simple yes/no answer.


Can we do it, and will it fix it?

I think you may have answered both.  

Am I reading that we can add both domains to the certificate, and then "import" that certificate just as I did the renewal today, including adding services where needed, then still have the same problem?

If so, then it sounds like going to an outside certificate is the only way to make this happen cleanly.

AkhaterSolutions ArchitectCommented:
number 3 should solve your issue so my answer is it is a YES... what is the error you got after trying number 3 ?
tcampbell_ncAuthor Commented:
I no longer got the "There is a problem with your security Certificate" screen.  It goes directly to the OWA login screen.  I am still seeing the URL section of IE is red, and to the right of the URL box, There is the "Certificate Error" indication.
AkhaterSolutions ArchitectCommented:
If i may ask how did you added it to the trusted root ca ? As far as i can remember there is nothing called red bar without warning unless you tried without closing ie and opening it again
Dave HoweSoftware and Hardware EngineerCommented:
 Normally, you would create a corporate ca, and push that new CA certificate out to all your users via group policy.

  Then when you self-issue a SAN certificate, that will automagically be trusted by all your own users because it is signed by the corporate CA, and you can mail your CA cert to any trusting third parties to add to their own mailservers for TLS purposes.

  MS enterprise class server software comes with such a CA, although I find it awkward to create new SAN certificates in the ms solution, preferring to create the signing requests in the tool http://sourceforge.net/projects/xca and either signing/issuing using the MS CA, or using xca for that task too.

  As a side effect, you can issue a 40 year CA and a 5 year SAN certificate, and then get to not worry about it again until 2016 :)
tcampbell_ncAuthor Commented:
OK, I was wrong.

I still get the same Certificate error.  From what I am seeing and reading, it seems the correct course of action is to pay $90 per year to get the cert from NetSol, or to go with a 3rd party "free" cert provider.

Any final comments.
Fingo11Commented:
Your setup sounds very similar to what we are using at the company I work for.  I think we paid around 50 bucks for a cert from GoDaddy.  Good for 2 years. Simple to install and everyone is happy.  

Just to claify did you try to export the self-signed cert and actually install it on a client outside of your network?  If you are only talking a few folks that need access then that might just be the way to go if you don't mind walking them through the import process.

Good luck on whatever you decide to do!
tcampbell_ncAuthor Commented:
Alright Fingo, you have my interest.

I am talking about needing to support about 10-15 users with OWA.

Educate me on Exporting the self-signed, and installing it on a client.
tcampbell_ncAuthor Commented:
Fingo,

I am getting back to this issue.  I just looked at GoDaddy and I think I need what is classified as a UCC cert?  Is that what you purchased?

I chatted with NetSol (the registrar of this customer's domain) and they said I would need a UCC cert, and they cost $600 per year.

Go Daddy has them at $90 per year.  But this is not the $50 for 2 years that you mentioned.

Thanks
AkhaterSolutions ArchitectCommented:
You do need a UCC certificate yes godaddy sells them pretty cheap and they do work
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.