Issues with geotrust Cert renewal and Exchange 2010

TrenchControl
TrenchControl used Ask the Experts™
on
Hi

My company recently had to update our web cert with geotrust and the format was webmail.mycompany.com
however we had some internal dns names linked in with the cert and due to legislation we were told that internal fqdn were not allowed. we now have all over the place the following error ( picture attached).
External access to the email server is fine but the errors are all internal.

Help Would very much appreciate instruction on how to maybe reissue the internal certs ..

Rgds
error-picture.png
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
chanderpal singh rathoreMicrosoft Exchange Engineer

Commented:
Hi,

Go through the below link for your problem:

Link: https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm

Good Luck!!
Gareth GudgerSolution Architect
Most Valuable Expert 2014
Top Expert 2014

Commented:
Hi TrenchControl,

Check out my article here. It discusses how to renew a certificate without the .local FQDNs, how to configure split-brain DNS to work with the new certificate requirements and how to modify all the necessary Exchange URLs to reflect this new requirement.
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/
http://supertekboy.com/certificates-for-microsoft-exchange/

Author

Commented:
Hi

So if i have an exchange server called exchange1.mydomain.local and i create an A record on my my domain called exchange1.mydomain.com and do the active directory migration and hey presto. Will my Cisco router have problems with this ? does all the traffic route out through the firewall to get back in ?
Thanks
Solution Architect
Most Valuable Expert 2014
Top Expert 2014
Commented:
That's where you need split-brain DNS. Because most firewalls block that kind of behavior.

So you create a forward lookup zone on your internal DNS called mydomain.com.

Then you create an A record for exchange1 and point it to the internal IP of your mail server. For example 10.0.0.10.

Check that article out. It explains how to create the split-brain DNS.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial