Solved

Exchange 2010 self-signed certificate interfere with third-party certificate?

Posted on 2014-09-15
3
144 Views
Last Modified: 2014-09-19
Good morning!  We recently had to renew our third-party SSL certificate for our Exchange 2010 system, and because of certificate authority changes not permitting local intranet names as SANs in SSL certificates (, ie can't use ".local" in SANs anymore), we are now getting internal certificate warnings from our local, in-house Outlook 2010 clients when connecting to our CAS servers (certificate does not contain the name of the server being connected to).  Our public OWA is working perfectly, and is all inbound and outbound email.

We have the renewed SSL certificate installed on all internal CAS servers, but I was concerned about installing a self-signed certificate on those same, operational CAS servers for the purpose of eliminating the Outlook client warnings.  Will installing these self-signed certs side-by-side with a valid, operational 3rd party SSL cert causing any issues?   What services do I assign to the new certificate *that won't interfere with the already-assigned services* on the 3rd party certificate?  I've generated the CSR for the two internal CAS servers (intranet names only) for client access only, no internet services, but I don't want to mess up the current services.

Yes, I've read over the articles re: resetting the Virtual Directories and changes to DNS, but given our DAG configuration (different autodiscover servers for each site to eliminate WAN latency) I can't make those changes.

Any thoughts would be appreciated.  Thanks!
Steve
0
Comment
Question by:Steve Bottoms
3 Comments
 
LVL 24

Expert Comment

by:-MAS
ID: 40324848
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 500 total points
ID: 40325150
Hello,

You can not use two different SSL certs for the same services. You basically have two options: You can use split-DNS or you can setup a new internal DNS zone, which is registered publicly.

With split-DNS you would create a duplicate of your external DNS zone on your internal servers. This allows you to set external IPs on your public DNS servers and internal IPs on your internal DNS servers. This allows you set both the internal and external URLs on your virtual directories to be the same and you can use your current cert. The downside to this method is that is requires managing two separate instances of your DNS zone. Each time you made an add or change on one, you need to do it on the other.

If you go the route of setting up a new internal zone, you get away from the issues of managing a split-DNS environment. Even though the zone is registered, you don't need to make it available externally. You would set your internal URLs on the virtual directories to be hostnames on the internal zone. You would need to have these hostnames added to your SAN cert.

-JJ
0
 

Author Closing Comment

by:Steve Bottoms
ID: 40333395
Jamie, thanks for the response.  I'm taking the route with the myserver.mydomain.com internal zone and resetting the virtual directory settings in my CAS servers tomorrow, and we'll see what happens then.  Using a self-signed certificate works in the remote site *AS LONG AS* the cluster doesn't fail over to the primary site.  Once that happens, we're back to certificate errors on the remote clients.

Thanks again for the input!
Steve
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now