Link to home
Create AccountLog in
Avatar of George Kesler
George KeslerFlag for United States of America

asked on

Exchange 2007 Certificates - Internal Names Will No Longer Be Trusted

When purchasing a SAN/UCC Certificate for Exchange 2007 a while back, I included two local names in it:
1.      internal FQDN of your Exchange Server (hub1.domainname.local)
2.      NETBIOS Name of your Server (hub1)
Now that internal names are not allowed anymore (https://www.digicert.com/internal-names.htm) I have to remove those.
My exchange setup consists of the following:
1.      Mailbox1
2.      Hub1
3.      Edge1
4.      BES
Hub1 is also the CAS for OWA, OutlookAnywhere, Activesync.
What is the best way to eliminate those local names from the certificates? The network is on a Windows 2008 R2 AD domain.
ASKER CERTIFIED SOLUTION
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
I have just answered a question related exactly to this yesterday. Check out the PAQ here.
https://www.experts-exchange.com/questions/28641230/Exchange-2007-Renew-Certificates.html

This will explain everything in detail.

Will.
Avatar of George Kesler

ASKER

Will, not exactly, I need to eliminate the internal names from the new certificate which will require changes to DNS.
Simon, I'll need some time to digest your link...
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Will, not exactly, I need to eliminate the internal names from the new certificate which will require changes to DNS

You need to generate a new CSR and then add your new SAN names to the certificate. Once you have done this you import the cert into your Exchange server. Create a new DNS Zone and an A record for mail.domain.com.

You then update your internal url for all of your virtual directories, that's it.

Will.
Deepin,
I downloaded the digicert tool but for some reason it does not work on my hub transport server.
No error message, just exits before displaying anything.
It does run on other servers, but tells me to run on the hub...
You almost certainly wouldn't use it on the server with the hub transport role, because the certificate doesn't contain internal server names.
On hub transport you will need to use internal Exchange generated SSL certificates. The trusted certificate would be used for the CAS role only.

Simon.
In my case hub and CAS are one and the same.
I'm wondering if there is a way to tell why the digicert tool would not run at all (log file or command line switch for troubleshooting)
Doesn't really matter.
The trusted certificate isn't installed to the hub transport role, it will continue to use an internally generated certificate.

Simon.
Using the info from the first link and the Digicert tool it turned out to be an easy task.
Split DNS, thankfully, was already in place.