Hello. I am looking for a little help with Exchange Server and SSL certificates.
I run a networking and IT consulting firm. Many of our clients run Microsoft Small Business Server (SBS) and run the included on-premise Exchange Server. Other clients run NON-SBS servers and also have on-premise Exchange Servers. It has been our standard company practice to always name the local activate directory domain name for each customer to be "theircompanyname.local", so that it is separate from any public facing DNS (for websites, OWA, etc) for "theircompanyname.com."
Since Exchange Server 2007, we have been getting UCC SSL certificates from GoDaddy. We typically include the following names in our UCC (Unified Communications) SSL request. I sometimes also hear/see this called a SAN (subject alternate name) certificate.
- servername (local NETBIOS server name)
- servername. theircompanyname.local (local server FQDN)
- theircompanyname.com (public domain name)
- mail.theircompanyname.com (public URL for Outlook web access)
I honestly can’t recall the details of how or why we started using all of those names in the certificate/request, but it has been our standard practice for many years.
Now it is my understanding that Certificate Authorities (CAs) have accepted worldwide guideline changes, and will no longer issue SAN SSL Certificates that include any invalid Fully Qualified Domain Name (such as .local), effective November 2015. We have already run into issues with this, as we are no longer able to request multi-year certificates that go beyond the November 2015 date. (ie a one-year cert request works, but a 3, 4 or 5 year cert request fails).
We are having internal discussions about our practice of using .local for internal domain names (and are considering other common scenarios such as subdomains (such as local.theircompanyname.com or corp. theircompanyname.com). So for those future networks, I may have a different workaround.
But we have 80+ networks for 80+ existing customers, that are mostly setup using "theircompanyname.local" for the local domain name. We have to somehow get SSL certificates for these Exchange Servers, and we will NOT be able to include any reference to “servername“ or “servername. theircompanyname.local” in the SSL certificate request.
SO my questions is.... What is the best/correct method for requesting an UCC/SAN SSL certificate for Exchange Server 2007 and Exchange Server 2010, when the local Windows domain name is “theircompanyname.local”?
Do we just exclude any reference to the “servername” and “servername. theircompanyname.local” in the SSL cert request? I guess we could try that, but I have to assume that we were including those for a reason in the first place?
Do we make a change somewhere on the server so that it does not depend on any references to “servername” or “servername. theircompanyname.local” being in the SSL certificate in order to function properly?
Any advice and suggestions would be greatly appreciated. Thank you in advance.