asked on Exchange 2007 Certificates - Internal Names Will No Longer Be Trusted
When purchasing a SAN/UCC Certificate for Exchange 2007 a while back, I included two local names in it:
1. internal FQDN of your Exchange Server (hub1.domainname.local)
2. NETBIOS Name of your Server (hub1)
Now that internal names are not allowed anymore (https://www.digicert.com/internal-names.htm) I have to remove those.
My exchange setup consists of the following:
1. Mailbox1
2. Hub1
3. Edge1
4. BES
Hub1 is also the CAS for OWA, OutlookAnywhere, Activesync.
What is the best way to eliminate those local names from the certificates? The network is on a Windows 2008 R2 AD domain.
1. internal FQDN of your Exchange Server (hub1.domainname.local)
2. NETBIOS Name of your Server (hub1)
Now that internal names are not allowed anymore (https://www.digicert.com/internal-names.htm) I have to remove those.
My exchange setup consists of the following:
1. Mailbox1
2. Hub1
3. Edge1
4. BES
Hub1 is also the CAS for OWA, OutlookAnywhere, Activesync.
What is the best way to eliminate those local names from the certificates? The network is on a Windows 2008 R2 AD domain.
SSL / HTTPSDNSExchange
Last Comment
George Kesler
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Will, not exactly, I need to eliminate the internal names from the new certificate which will require changes to DNS.
Simon, I'll need some time to digest your link...
Simon, I'll need some time to digest your link...
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Will, not exactly, I need to eliminate the internal names from the new certificate which will require changes to DNS
You need to generate a new CSR and then add your new SAN names to the certificate. Once you have done this you import the cert into your Exchange server. Create a new DNS Zone and an A record for mail.domain.com.
You then update your internal url for all of your virtual directories, that's it.
Will.
ASKER
Deepin,
I downloaded the digicert tool but for some reason it does not work on my hub transport server.
No error message, just exits before displaying anything.
It does run on other servers, but tells me to run on the hub...
I downloaded the digicert tool but for some reason it does not work on my hub transport server.
No error message, just exits before displaying anything.
It does run on other servers, but tells me to run on the hub...
You almost certainly wouldn't use it on the server with the hub transport role, because the certificate doesn't contain internal server names.
On hub transport you will need to use internal Exchange generated SSL certificates. The trusted certificate would be used for the CAS role only.
Simon.
On hub transport you will need to use internal Exchange generated SSL certificates. The trusted certificate would be used for the CAS role only.
Simon.
ASKER
In my case hub and CAS are one and the same.
I'm wondering if there is a way to tell why the digicert tool would not run at all (log file or command line switch for troubleshooting)
I'm wondering if there is a way to tell why the digicert tool would not run at all (log file or command line switch for troubleshooting)
Doesn't really matter.
The trusted certificate isn't installed to the hub transport role, it will continue to use an internally generated certificate.
Simon.
The trusted certificate isn't installed to the hub transport role, it will continue to use an internally generated certificate.
Simon.
ASKER
Using the info from the first link and the Digicert tool it turned out to be an easy task.
Split DNS, thankfully, was already in place.
Split DNS, thankfully, was already in place.
https://www.experts-exchange.com/questions/28641230/Exchange-2007-Renew-Certificates.html
This will explain everything in detail.
Will.