Exchange 2007 Certificates - Internal Names Will No Longer Be Trusted

When purchasing a SAN/UCC Certificate for Exchange 2007 a while back, I included two local names in it:
1.      internal FQDN of your Exchange Server (hub1.domainname.local)
2.      NETBIOS Name of your Server (hub1)
Now that internal names are not allowed anymore (https://www.digicert.com/internal-names.htm) I have to remove those.
My exchange setup consists of the following:
1.      Mailbox1
2.      Hub1
3.      Edge1
4.      BES
Hub1 is also the CAS for OWA, OutlookAnywhere, Activesync.
What is the best way to eliminate those local names from the certificates? The network is on a Windows 2008 R2 AD domain.
LVL 3
George KeslerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Simply reconfigure Exchange to use the public name internally and externally.
That will require a split DNS and a some modifications to the Exchange server.
http://semb.ee/hostnames2007

For SMTP, you will need to continue to use a self signed certificate, which you can generate from the Exchange server using new-exchangecertificate . You will then have to export it and import it in the Edge server to be accepted.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
I have just answered a question related exactly to this yesterday. Check out the PAQ here.
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_28641230.html

This will explain everything in detail.

Will.
0
George KeslerAuthor Commented:
Will, not exactly, I need to eliminate the internal names from the new certificate which will require changes to DNS.
Simon, I'll need some time to digest your link...
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

DeepinInfrastructure Engineer Commented:
try this link - its worked for me they also have a tool which can do it for you as well

https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm

https://www.digicert.com/util/
0
Will SzymkowskiSenior Solution ArchitectCommented:
Will, not exactly, I need to eliminate the internal names from the new certificate which will require changes to DNS

You need to generate a new CSR and then add your new SAN names to the certificate. Once you have done this you import the cert into your Exchange server. Create a new DNS Zone and an A record for mail.domain.com.

You then update your internal url for all of your virtual directories, that's it.

Will.
0
George KeslerAuthor Commented:
Deepin,
I downloaded the digicert tool but for some reason it does not work on my hub transport server.
No error message, just exits before displaying anything.
It does run on other servers, but tells me to run on the hub...
0
Simon Butler (Sembee)ConsultantCommented:
You almost certainly wouldn't use it on the server with the hub transport role, because the certificate doesn't contain internal server names.
On hub transport you will need to use internal Exchange generated SSL certificates. The trusted certificate would be used for the CAS role only.

Simon.
0
George KeslerAuthor Commented:
In my case hub and CAS are one and the same.
I'm wondering if there is a way to tell why the digicert tool would not run at all (log file or command line switch for troubleshooting)
0
Simon Butler (Sembee)ConsultantCommented:
Doesn't really matter.
The trusted certificate isn't installed to the hub transport role, it will continue to use an internally generated certificate.

Simon.
0
George KeslerAuthor Commented:
Using the info from the first link and the Digicert tool it turned out to be an easy task.
Split DNS, thankfully, was already in place.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.