?
Solved

Exchange 2010 self-signed certificate interfere with third-party certificate?

Posted on 2014-09-15
3
Medium Priority
?
152 Views
Last Modified: 2014-09-19
Good morning!  We recently had to renew our third-party SSL certificate for our Exchange 2010 system, and because of certificate authority changes not permitting local intranet names as SANs in SSL certificates (, ie can't use ".local" in SANs anymore), we are now getting internal certificate warnings from our local, in-house Outlook 2010 clients when connecting to our CAS servers (certificate does not contain the name of the server being connected to).  Our public OWA is working perfectly, and is all inbound and outbound email.

We have the renewed SSL certificate installed on all internal CAS servers, but I was concerned about installing a self-signed certificate on those same, operational CAS servers for the purpose of eliminating the Outlook client warnings.  Will installing these self-signed certs side-by-side with a valid, operational 3rd party SSL cert causing any issues?   What services do I assign to the new certificate *that won't interfere with the already-assigned services* on the 3rd party certificate?  I've generated the CSR for the two internal CAS servers (intranet names only) for client access only, no internet services, but I don't want to mess up the current services.

Yes, I've read over the articles re: resetting the Virtual Directories and changes to DNS, but given our DAG configuration (different autodiscover servers for each site to eliminate WAN latency) I can't make those changes.

Any thoughts would be appreciated.  Thanks!
Steve
0
Comment
Question by:Steve Bottoms
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 37

Accepted Solution

by:
Jamie McKillop earned 2000 total points
ID: 40325150
Hello,

You can not use two different SSL certs for the same services. You basically have two options: You can use split-DNS or you can setup a new internal DNS zone, which is registered publicly.

With split-DNS you would create a duplicate of your external DNS zone on your internal servers. This allows you to set external IPs on your public DNS servers and internal IPs on your internal DNS servers. This allows you set both the internal and external URLs on your virtual directories to be the same and you can use your current cert. The downside to this method is that is requires managing two separate instances of your DNS zone. Each time you made an add or change on one, you need to do it on the other.

If you go the route of setting up a new internal zone, you get away from the issues of managing a split-DNS environment. Even though the zone is registered, you don't need to make it available externally. You would set your internal URLs on the virtual directories to be hostnames on the internal zone. You would need to have these hostnames added to your SAN cert.

-JJ
0
 

Author Closing Comment

by:Steve Bottoms
ID: 40333395
Jamie, thanks for the response.  I'm taking the route with the myserver.mydomain.com internal zone and resetting the virtual directory settings in my CAS servers tomorrow, and we'll see what happens then.  Using a self-signed certificate works in the remote site *AS LONG AS* the cluster doesn't fail over to the primary site.  Once that happens, we're back to certificate errors on the remote clients.

Thanks again for the input!
Steve
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
In-place Upgrading Dirsync to Azure AD Connect
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question