Solved

Exchange 2010 self-signed certificate interfere with third-party certificate?

Posted on 2014-09-15
3
146 Views
Last Modified: 2014-09-19
Good morning!  We recently had to renew our third-party SSL certificate for our Exchange 2010 system, and because of certificate authority changes not permitting local intranet names as SANs in SSL certificates (, ie can't use ".local" in SANs anymore), we are now getting internal certificate warnings from our local, in-house Outlook 2010 clients when connecting to our CAS servers (certificate does not contain the name of the server being connected to).  Our public OWA is working perfectly, and is all inbound and outbound email.

We have the renewed SSL certificate installed on all internal CAS servers, but I was concerned about installing a self-signed certificate on those same, operational CAS servers for the purpose of eliminating the Outlook client warnings.  Will installing these self-signed certs side-by-side with a valid, operational 3rd party SSL cert causing any issues?   What services do I assign to the new certificate *that won't interfere with the already-assigned services* on the 3rd party certificate?  I've generated the CSR for the two internal CAS servers (intranet names only) for client access only, no internet services, but I don't want to mess up the current services.

Yes, I've read over the articles re: resetting the Virtual Directories and changes to DNS, but given our DAG configuration (different autodiscover servers for each site to eliminate WAN latency) I can't make those changes.

Any thoughts would be appreciated.  Thanks!
Steve
0
Comment
Question by:Steve Bottoms
3 Comments
 
LVL 25

Expert Comment

by:-MAS
ID: 40324848
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 500 total points
ID: 40325150
Hello,

You can not use two different SSL certs for the same services. You basically have two options: You can use split-DNS or you can setup a new internal DNS zone, which is registered publicly.

With split-DNS you would create a duplicate of your external DNS zone on your internal servers. This allows you to set external IPs on your public DNS servers and internal IPs on your internal DNS servers. This allows you set both the internal and external URLs on your virtual directories to be the same and you can use your current cert. The downside to this method is that is requires managing two separate instances of your DNS zone. Each time you made an add or change on one, you need to do it on the other.

If you go the route of setting up a new internal zone, you get away from the issues of managing a split-DNS environment. Even though the zone is registered, you don't need to make it available externally. You would set your internal URLs on the virtual directories to be hostnames on the internal zone. You would need to have these hostnames added to your SAN cert.

-JJ
0
 

Author Closing Comment

by:Steve Bottoms
ID: 40333395
Jamie, thanks for the response.  I'm taking the route with the myserver.mydomain.com internal zone and resetting the virtual directory settings in my CAS servers tomorrow, and we'll see what happens then.  Using a self-signed certificate works in the remote site *AS LONG AS* the cluster doesn't fail over to the primary site.  Once that happens, we're back to certificate errors on the remote clients.

Thanks again for the input!
Steve
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now