Exchange certificate not valid because UCC not issuing .local address

I have a Window 2011 SBS server and when we renewers our exchange security certificate through it no longer works because they no longer support using .local address in the SAN's.  I am looking for the step to setup split domain routing in Windows 2011 so that the certificate is valid inside the intranet and outside on the internet.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
This change is industry wide.  This page from Digicert mentions something about "internal names is in Exchange environments" at the bottom of the page.  Maybe that will help.
MASEE Solution Guide - Technical Dept HeadCommented:
Agree with Dave
Please check my article it will help you fix this.
EE  Technet
Cris HannaSr IT Support EngineerCommented:
You need to insure that you have SBS 2011 Update Rollup 4 installed, the regenerate the request for the cert and you'll be fine.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Will SzymkowskiSenior Solution ArchitectCommented:
You need to do the following to get this working...
- Create a new CSR (on one of your CAS server/s)
- Cert needs to be SAN/UCC
- Add the following names to the DNS portion of the cert.,
- import the crt/cer file into the CAS server where you generated the CSR
- Make sure that the private key is exportable
- Run the following command on the Exchange server after you imported the cer/crt file
---Enable-ExchangeCertificate -Thumbprint xxxxxxxxxxxxxxxx -Service "pop,imap,smtp,iis"
- Export the certificate (with the private key) import the cert on any other CAS servers in your environment
- Run the Enable-ExchangeCertificate command again on each preceeding CAS server where the cert was installed
- Create a Zone on your internal DNS servers for
- Add an A (host) record for pointing to your CAS server (or load balancer IP)
- Update all of your Virtual Directories using
- You will use the for both Internal and External

Those are the high level steps that are required to accomplish split DNS for Exchange.

Cris HannaSr IT Support EngineerCommented:
For Will.
This is an SBS Server.  There is a wizard with creates the CSR for the poster.  Number one rule with SBS is use the Wizard.  But before UR4 it leaves the .local reference in there.  After UR4 the CSR will be compliant

For the author.  A UCC cert is not required for SBS in 99% of the cases.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Larry Struckmeyer MVPCommented:
Just adding +1 for Cris Hanna's answer.  SBS removed .local from the cert with rollup4 AND the most economical SSL cert works fine because SBS has programed the needed mods into the Wizard.  

But.. the UCC cert will work with the wizard if you already own one.
popeyedctsAuthor Commented:
With everything said, this is an SBS2011 and rollup4 just strips the .local from the cert. We have a cert from godaddy with the .com extension and need outlook anywhere to work. The issue seems to be that the SBS wizard will strip the .local from the certificate, removing the error but will not resolve the outside access.

How can I get the existing cert with the .com address to work for both internal and external?
Cris HannaSr IT Support EngineerCommented:
Sorry so long to reply back.
Where exactly are you having the issue?   In setting up Outlook Anywhere?    Have you installed the Godaddy intermediate cert?

If the only issue is Outlook Anywhere, knowing what version of Outlook and then the exact steps you're going through would be very helpful.
popeyedctsAuthor Commented:
The only other thing that we needed to do is create a SRV record because wasn't listed on the certificate.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.