Link to home
Start Free TrialLog in
Avatar of Mark Hoepelman
Mark HoepelmanFlag for United States of America

asked on

New SSL certificate requirments and configuring microsoft exchange appropriately

As many of you already know, there are new SSL certificate restrictions in place that will soon be enforced, which will no longer support including the use of internal SAN names (such as .local) in the certificate.

I have renewed my SSL cert, excluding any unsupported SAN values, and re-configured exchange 2010 to point everything from HOSTNAME.local to FQDN.com.

I have also created the appropriate internal dns zone to point my FQDN.com to my internal ip.

Externally, everything works great. i have tested activesync, outlook web access and outlook connectivity with no issues whatsoever. mxtoolbox comes back with no issues reported. all my devices (phones, tablets, etc.) appear to be working externally as well.

Internally, everything seems to be working with one issue: on my workstations running outlook 2010 or lower, they are getting prompted to accept the certificate 1-2 times upon startup, and often at seemingly random times that outlook is already open, and you have to click on "accept" to continue. it does not seem to be affecting client running outlook 2013.

i have tried deleting the existing exchange profile on a workstation and recreating it using FQDN.com as the mail server, but as soon as i click on on "check name" it of course reverts it back to HOSTNAME.local. i cant force it to use FQDN.com.

Does anyone know how to proceed with correcting this particular issue?
ASKER CERTIFIED SOLUTION
Avatar of M A
M A
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Check below article, I think this might be your issue and try solution mentioned there
http://www.shudnow.net/2013/07/26/outlook-certificate-error-and-autodiscover-domain-com-not-working/
Avatar of Mark Hoepelman

ASKER

this was exactly the issue. apparently some of these values are only configurable via the exchange management shell and not via the exchange  GUI. after running through this config the issue was resolved. thank you very much!