Exchange 2007 Certificates - Internal Names Will No Longer Be Trusted

When purchasing a SAN/UCC Certificate for Exchange 2007 a while back, I included two local names in it:
1.      internal FQDN of your Exchange Server (hub1.domainname.local)
2.      NETBIOS Name of your Server (hub1)
Now that internal names are not allowed anymore ( I have to remove those.
My exchange setup consists of the following:
1.      Mailbox1
2.      Hub1
3.      Edge1
4.      BES
Hub1 is also the CAS for OWA, OutlookAnywhere, Activesync.
What is the best way to eliminate those local names from the certificates? The network is on a Windows 2008 R2 AD domain.
George KeslerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Simply reconfigure Exchange to use the public name internally and externally.
That will require a split DNS and a some modifications to the Exchange server.

For SMTP, you will need to continue to use a self signed certificate, which you can generate from the Exchange server using new-exchangecertificate . You will then have to export it and import it in the Edge server to be accepted.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
I have just answered a question related exactly to this yesterday. Check out the PAQ here.

This will explain everything in detail.

George KeslerAuthor Commented:
Will, not exactly, I need to eliminate the internal names from the new certificate which will require changes to DNS.
Simon, I'll need some time to digest your link...
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

DeepinInfrastructure Engineer Commented:
try this link - its worked for me they also have a tool which can do it for you as well
Will SzymkowskiSenior Solution ArchitectCommented:
Will, not exactly, I need to eliminate the internal names from the new certificate which will require changes to DNS

You need to generate a new CSR and then add your new SAN names to the certificate. Once you have done this you import the cert into your Exchange server. Create a new DNS Zone and an A record for

You then update your internal url for all of your virtual directories, that's it.

George KeslerAuthor Commented:
I downloaded the digicert tool but for some reason it does not work on my hub transport server.
No error message, just exits before displaying anything.
It does run on other servers, but tells me to run on the hub...
Simon Butler (Sembee)ConsultantCommented:
You almost certainly wouldn't use it on the server with the hub transport role, because the certificate doesn't contain internal server names.
On hub transport you will need to use internal Exchange generated SSL certificates. The trusted certificate would be used for the CAS role only.

George KeslerAuthor Commented:
In my case hub and CAS are one and the same.
I'm wondering if there is a way to tell why the digicert tool would not run at all (log file or command line switch for troubleshooting)
Simon Butler (Sembee)ConsultantCommented:
Doesn't really matter.
The trusted certificate isn't installed to the hub transport role, it will continue to use an internally generated certificate.

George KeslerAuthor Commented:
Using the info from the first link and the Digicert tool it turned out to be an easy task.
Split DNS, thankfully, was already in place.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.