Exchange 2010 self-signed certificate interfere with third-party certificate?

Good morning!  We recently had to renew our third-party SSL certificate for our Exchange 2010 system, and because of certificate authority changes not permitting local intranet names as SANs in SSL certificates (, ie can't use ".local" in SANs anymore), we are now getting internal certificate warnings from our local, in-house Outlook 2010 clients when connecting to our CAS servers (certificate does not contain the name of the server being connected to).  Our public OWA is working perfectly, and is all inbound and outbound email.

We have the renewed SSL certificate installed on all internal CAS servers, but I was concerned about installing a self-signed certificate on those same, operational CAS servers for the purpose of eliminating the Outlook client warnings.  Will installing these self-signed certs side-by-side with a valid, operational 3rd party SSL cert causing any issues?   What services do I assign to the new certificate *that won't interfere with the already-assigned services* on the 3rd party certificate?  I've generated the CSR for the two internal CAS servers (intranet names only) for client access only, no internet services, but I don't want to mess up the current services.

Yes, I've read over the articles re: resetting the Virtual Directories and changes to DNS, but given our DAG configuration (different autodiscover servers for each site to eliminate WAN latency) I can't make those changes.

Any thoughts would be appreciated.  Thanks!
Steve
Steve BottomsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jamie McKillopIT ManagerCommented:
Hello,

You can not use two different SSL certs for the same services. You basically have two options: You can use split-DNS or you can setup a new internal DNS zone, which is registered publicly.

With split-DNS you would create a duplicate of your external DNS zone on your internal servers. This allows you to set external IPs on your public DNS servers and internal IPs on your internal DNS servers. This allows you set both the internal and external URLs on your virtual directories to be the same and you can use your current cert. The downside to this method is that is requires managing two separate instances of your DNS zone. Each time you made an add or change on one, you need to do it on the other.

If you go the route of setting up a new internal zone, you get away from the issues of managing a split-DNS environment. Even though the zone is registered, you don't need to make it available externally. You would set your internal URLs on the virtual directories to be hostnames on the internal zone. You would need to have these hostnames added to your SAN cert.

-JJ
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve BottomsAuthor Commented:
Jamie, thanks for the response.  I'm taking the route with the myserver.mydomain.com internal zone and resetting the virtual directory settings in my CAS servers tomorrow, and we'll see what happens then.  Using a self-signed certificate works in the remote site *AS LONG AS* the cluster doesn't fail over to the primary site.  Once that happens, we're back to certificate errors on the remote clients.

Thanks again for the input!
Steve
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.