Add hostname to SBS 2011 self signed certificate for autodiscover
Hello,
I am trying to get the autodiscover service to work on my SBS 2011 server and when I use www.testexchangeconnectivity.com it fails when it try's to validate the certificate name because it doesn't contain autodiscover.domain.com in the certificate. I'm assuming this is because it is the standard SBS 2011 self signed cert that was installed with the server. Is there a way to simply add a new hostname, autodiscover.domain.com, to my existing certificate, and if not what is the best method in changing this without having to go through a third party certificate authority? Any information is appreciated.
Thanks
I am trying to get the autodiscover service to work on my SBS 2011 server and when I use www.testexchangeconnectivity.com it fails when it try's to validate the certificate name because it doesn't contain autodiscover.domain.com in the certificate. I'm assuming this is because it is the standard SBS 2011 self signed cert that was installed with the server. Is there a way to simply add a new hostname, autodiscover.domain.com, to my existing certificate, and if not what is the best method in changing this without having to go through a third party certificate authority? Any information is appreciated.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Adam Brown
A SRV record will allow you to bypass the need for autodiscover.domain.com, but it will not remove certificate errors when using a self-signed certificate and it will not prevent errors from showing up in the exchange connectivity test utility.
ASKER
I apologize for misleading that autodiscover was not working at all. I actually do have it working for remote clients by simply adding a CNAME record in my public DNS for autodiscover. It does seem to work, but when I tested with exchange connectivity it failed because of the autodiscover CN missing from my self-signed cert. Besides the cert warnings and still failing the exchange connectivity tests, would there be any other complications down the road to leaving it as is?
No real complications beyond certificate errors, but you will run into issues if you want to use Domain Authenticated TLS or other advanced features that require a valid certificate.
The CNAME record is the wrong approach. Create a SRV record instead. Or purchase a UCC/SAN certificate.
ACBrown: It is true that testexchangeconnectivity will still fail because the certificate is not trusted, but the error is different and is clear on that point. And a SRV record (with a properly deployed self-issued cert) *does* remove certificate errors when actually using autodiscover from a legitimate client. The client experience is the same with a SRV record and self-signed, a SRV record and a single-name, or a UCC/SAN, when implemented properly.
ACBrown: It is true that testexchangeconnectivity will still fail because the certificate is not trusted, but the error is different and is clear on that point. And a SRV record (with a properly deployed self-issued cert) *does* remove certificate errors when actually using autodiscover from a legitimate client. The client experience is the same with a SRV record and self-signed, a SRV record and a single-name, or a UCC/SAN, when implemented properly.
Ignoring certificate errors always has the risk of complications. Most importantly, by choosing to ignore the error, you are actively telling the client that things are "okay" when they may not be. A good example is that I could, in theory, set up my own certificate authority, create my own self-signed certificate, and issue a man-in-the-middle attack. Your client would see my certificate as untrusted and throw an error...but since YOUR certificate throws an error, you would click right on past it and not realize the difference between a "good" error and a "bad" one.
Ignoring certificate errors always introduces the risk of a secure nature and every precaution should be taken to avoid such conditions. Otherwise you might as well not bother encrypting at all.
Ignoring certificate errors always introduces the risk of a secure nature and every precaution should be taken to avoid such conditions. Otherwise you might as well not bother encrypting at all.
ASKER
Thank you. These are all very good recommendations. Pertaining to the SRV record. Would one need to be created only on my public DNS, or both my local and public DNS?
Public. Locally, active directory service connection point references are used instead. Neither cname nor srv records take precedence over SCPs.