Solved

Exchange 2010 self-signed certificate interfere with third-party certificate?

Posted on 2014-09-15
3
145 Views
Last Modified: 2014-09-19
Good morning!  We recently had to renew our third-party SSL certificate for our Exchange 2010 system, and because of certificate authority changes not permitting local intranet names as SANs in SSL certificates (, ie can't use ".local" in SANs anymore), we are now getting internal certificate warnings from our local, in-house Outlook 2010 clients when connecting to our CAS servers (certificate does not contain the name of the server being connected to).  Our public OWA is working perfectly, and is all inbound and outbound email.

We have the renewed SSL certificate installed on all internal CAS servers, but I was concerned about installing a self-signed certificate on those same, operational CAS servers for the purpose of eliminating the Outlook client warnings.  Will installing these self-signed certs side-by-side with a valid, operational 3rd party SSL cert causing any issues?   What services do I assign to the new certificate *that won't interfere with the already-assigned services* on the 3rd party certificate?  I've generated the CSR for the two internal CAS servers (intranet names only) for client access only, no internet services, but I don't want to mess up the current services.

Yes, I've read over the articles re: resetting the Virtual Directories and changes to DNS, but given our DAG configuration (different autodiscover servers for each site to eliminate WAN latency) I can't make those changes.

Any thoughts would be appreciated.  Thanks!
Steve
0
Comment
Question by:Steve Bottoms
3 Comments
 
LVL 25

Expert Comment

by:-MAS
ID: 40324848
0
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 500 total points
ID: 40325150
Hello,

You can not use two different SSL certs for the same services. You basically have two options: You can use split-DNS or you can setup a new internal DNS zone, which is registered publicly.

With split-DNS you would create a duplicate of your external DNS zone on your internal servers. This allows you to set external IPs on your public DNS servers and internal IPs on your internal DNS servers. This allows you set both the internal and external URLs on your virtual directories to be the same and you can use your current cert. The downside to this method is that is requires managing two separate instances of your DNS zone. Each time you made an add or change on one, you need to do it on the other.

If you go the route of setting up a new internal zone, you get away from the issues of managing a split-DNS environment. Even though the zone is registered, you don't need to make it available externally. You would set your internal URLs on the virtual directories to be hostnames on the internal zone. You would need to have these hostnames added to your SAN cert.

-JJ
0
 

Author Closing Comment

by:Steve Bottoms
ID: 40333395
Jamie, thanks for the response.  I'm taking the route with the myserver.mydomain.com internal zone and resetting the virtual directory settings in my CAS servers tomorrow, and we'll see what happens then.  Using a self-signed certificate works in the remote site *AS LONG AS* the cluster doesn't fail over to the primary site.  Once that happens, we're back to certificate errors on the remote clients.

Thanks again for the input!
Steve
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
uninstall Exchange 2003 from a DC - An unexpected error occurred. ID no: 8000ffff 3 22
Exchange Online Archive 2 58
Email Backscatter 1 25
DHCP server 6 48
Read this checklist to learn more about the 15 things you should never include in an email signature.
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now