SBS2011 and UCC Certificate

Hello,

I have an SBS2011 network and wish to add a Terminal Server to the network.

The Terminal server will have its own ADSL line and WAN IP address and its own external A record of terminal.mydomain.co.uk

I want to add a UCC certificate to cover this configuration with SAN names of...

remote.mydomain.co.uk
terminal.mydomain.co.uk
autodiscover.mydomain.co.uk
server.mydomain.local
serve

I know a simple SSL Certificate will be fine with SBS2011 but I want it to cover the Terminal server with a different WAN IP and A Record.

When requesting the UCC Cert do I use the SBS wizard for the CSR and add the SAN's manually at GoDaddy then to install the intermediate cert as their instructions then use the SBS Trusted Cert wizard to install the UCC Cert

Or...

Use the Exchange wizard for the CSR, install the intermediate cert and use Exchange to install the UCC cert then select the installed cert from within the SBS trusted wizard

And...

Do I need to put server.mydomain.local and server on the UCC if I use the Trusted certificate wizard in SBS to install the cert? I want to avoid certificate errors on the local domain for Outlook users and would this solve the problem about not being able to use .local in certificates after 2015

Thanks for taking the time to read this, your help is appreciated

Dave
LVL 1
DeclaroAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Wow, that's like five questions. Not one. But let's tackle this whole mess.

First, let me say that I would *not* use one certificate for two servers. It is a very bad security practice. UCC certs were intended for situations where one server may be hosting multiple services. An example would be Exchange, where it might be hosting mail.company.com, autodiscover.company.com, and addressbook.company.com.  They were not meant to be shared across multiple servers. It technically *can* be done, but opens up a big heap of mess. I'd strongly encourage you to consider using two simple certificates instead. It is cheaper than a UCC/SAN cert *and* more secure. Double-win.

Now, on to your questions:

Use the SBS wizard to generate the CSR and to install the certificate. Regardless whether you take my advice on the UCC/SAN or not, this is the easiest way to get the certificate into RWA. Using the Exchange wizard does NOT touch all of the places SBS uses the certificate and is often the *cause* for many errors people report.

Which brings me to the second point. Do not use any local names on your certificate. no .local, no short names. Only *public* names that have public DNS records. Again, this is a security practice and has always been the case. But certificate authorities have been slacking and now there are so many "bad" certificates out there, they have to phase out renewing them. At any rate, no reasonable product has required private names in a certificate for a public facing service in over a decade, so adding them accomplishes very little and makes your environment easily susceptible to man-in-the-middle attacks.

Regarding certificate errors for outlook errors, if you ran all of the SBS wizards during setup, there won't be any. The SBS wizards set up the internal Exchange URLs that Outlook uses to the name you chose when the wizard was ran, *not* the .local name. The wizards also create a DNS zone for that name so local lookups don't hit the router. What this means is that, as long as the wizards were used throughout, Outlook will get "remote.company.com" for Exchange, even on the local domain, the certificate you buy from (whoever) will have that name (even a simple non UCC/SAN cert) and it all matches so no errors.
0
DeclaroAuthor Commented:
Hi Cgaliher Thank you for the detailed explanation and answering so many questions :)  it has helped a lot.

Currently the SBS server uses the self signed certificate and all works well, the wizards were used correctly in the setup of the server. I'm good with installing a Simple SSL cert on SBS and will do if advised its needed when introducing a terminal server.

If I introduce a new second SSL cert into the domain how do I create the CSR and import it into the network for the terminal server. If I use the wizard wouldn't it overwrite or make redundant the first certificate

Thanks
0
Cliff GaliherCommented:
You should not (and in fact *CANNOT*) use the wizard for other servers.

A CSR is exactly that. It is simply a request to "sign" the certificate you generate. You can't generate a CSR on one machine and then install the certificate onto another machine. That second machine would not have the private key for the certificate and therefore the certificate would be useless.

This should help clarify things:

http://technet.microsoft.com/en-us/library/cc725949.aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DeclaroAuthor Commented:
Thanks for the time you've taken to answer these questions for me, I know how to proceed now.

Cheers

Dave
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.