Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 569
  • Last Modified:

Multiple SSL Certificates

So my problem is that i need 2 certificates the first one is for a local domain example :
localdomain = remote.local
externaldomain = example.com

i cant figure out how to do this with a self singed certificate, can this be even done?
0
dataconsult01
Asked:
dataconsult01
  • 4
  • 3
  • 3
  • +2
1 Solution
 
Sushil SonawaneCommented:
You can create a sinlge certificate with multiple domain name.

To create a self sign certificate please refer below links.

http://www.emailsecuritymatters.com/site/blog/best-practices/how-to-create-self-signed-ssl-certificate-exchange-2003-2007-2010-windows/

http://www.emailsecuritymatters.com/site/blog/best-practices/how-to-create-self-signed-ssl-certificate-exchange-2003-2007-2010-windows/

http://blogs.technet.com/b/andym/archive/2008/09/15/exchange-2007-create-self-signed-certificates.aspx

OR

Shell command for create self sing certificate :

New-ExchangeCertificate -SubjectName "c=US, o=abc Bank, cn=mail1.abc.com" -DomainName abc.com, example.com
0
 
Dave HoweSoftware and Hardware EngineerCommented:
you could use one SAN certificate?
0
 
Simon Butler (Sembee)ConsultantCommented:
The self signed certificates generated by Exchange are not really designed for production use, more as place holders. They are not supported at all for use with Outlook Anywhere or ActiveSync. When you can purchase a suitable certificate for less than $60/year, going through the headaches of getting self signed certificates isn't worth it.

Simon.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
dataconsult01Author Commented:
Its for a client with only a few pc's and they think 100+/- is to mutch for this
0
 
Sushil SonawaneCommented:
You can use self sign certificate or create you own CA then issue cetificate. it's totaly on you which certificate set for exchange.

Self sign OR CA OR Third party certificate
0
 
Simon Butler (Sembee)ConsultantCommented:
How much is your time worth?
I can have it setup with a commercial certificate in less than 30 minutes.
Getting it to work on all clients can take triple that time (as you have to install the client on every device, which can be troublesome with mobile devices). If the client insists, then they get a bill for double the cost of the SSL certificate and told that it will have to be repeated in a year or two.

Simon.
0
 
TrigonovaCommented:
If you Need a Certificate with both Identities Just generate a Subject alternate Name Certificaterequest. Easy done with the CSR Tool on

https://www.digicert.com/easy-csr/exchange2010.htm
0
 
dataconsult01Author Commented:
yes but this is to buy a certificate?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
not really. if you have a CSR, there are *dozens* of tools that can sign that for you.

Personally I would set up your own CA (use the MS one is probably easiest) and push out the CA cert to all nodes using group policy. then sign the exchange CSR with your CA - that will work silently on nodes with the CA cert (and for any other, you could send them the CA cert if they are going to be using it frequently; it isn't secret, after all :)
0
 
dataconsult01Author Commented:
i have done that already, but the problem is my internal adres remote.local is setup ass internet domain name in sbs console, and i am not sure i can change this without any problems to my external domain?
0
 
Simon Butler (Sembee)ConsultantCommented:
I don't think I would agree about setting up an internal CA being "easy". Far from it. Using an internal CA to sign your own certificates is only really an option if you have 100% control over 100% of the devices that will be connecting to Exchange by any means. If you intend to allow OWA access from anywhere, then it isn't really a viable option because telling users to ignore SSL prompts is a pretty stupid thing to do. You may as well stick with the self signed cetificate generated by SBS. Users will ignore ALL SSL prompts which exposes them to phishing attacks.

If you have set the external address in SBS as your internal domain then that is going to cause you a lot of problems. You need to correct that to begin with. I would suggest that you do so out of hours so that you can check everything else is correct. Run the wizard to change the Internet Address to your real domain. SBS will do what it needs to do to modify everything, setup the network correctly etc. You should then check the user accounts to ensure that they have the correct email address configured as it may have been reset by the wizard.

However you will still get SSL prompts - until you switch to a commercial certificate your installation will not be trouble free.

Simon.
0
 
dataconsult01Author Commented:
Sembee2 the certificate is not for using owa but the clients all gets certificate erros for autodiscover.domainname.com so its not for use externally
0
 
Sushil SonawaneCommented:
Create a new certificate for the FQDN autodiscover.domain.net. Because for autodiscover purpose the host name "autodiscover" required in certificate. Microsoft outlook default find exchange server over the internet through autodiscover.domainname.net

Please make sure on the public dns the dns available "autodiscover.domain.net"

Refer below link to White Paper: Exchange 2007 Autodiscover Service. It's same for exchange 2010.

(http://technet.microsoft.com/en-us/library/bb332063%28v=exchg.80%29.aspx)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now