Howzatt
asked on
End of Life for *.Local SSL Certificates
Our Mail SSL certificate is up for renewal. It's a UCC for up to 5 domain names. This includes the internal & external domain names.
Our internal domain name is (domain-name).local
Apparently all the SSL providers around the world are no longer supporting *.local names, so as a result, our internal users are going to be prompted with errors in MS Outlook all the time about the SSL being out of date.
Does this mean we have to change our Internal domain name before we can re-renew the UCC SSL Certificate?
Obviously that would be opening up the biggest can of worms, so would prefer to look at workarounds. This internal domain will be decommissioned within the next 12 months (merging into another companies domain). So if there is a workaround, that would be the best option for us.
Our internal domain name is (domain-name).local
Apparently all the SSL providers around the world are no longer supporting *.local names, so as a result, our internal users are going to be prompted with errors in MS Outlook all the time about the SSL being out of date.
Does this mean we have to change our Internal domain name before we can re-renew the UCC SSL Certificate?
Obviously that would be opening up the biggest can of worms, so would prefer to look at workarounds. This internal domain will be decommissioned within the next 12 months (merging into another companies domain). So if there is a workaround, that would be the best option for us.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can make your enterprise private CA and sign .local .onion and any domain you want.
Well, actually you'll have two options:
* Change the URL your internal users utilize to access Exchange to a public domain name whose owner will authorize the SSL cert. The internalURL and all references to the .Local URL in the Virtual Directories' configured on Exchange need to change to reference the public hostname.
Or...
* Stop using certs from a public CA with your Exchange servers. You can create an internal CA using Windows certificate services.
Then to provide access to your Exchange server externally, you can use a certificate from a Public CA to do so, But you may require a Load Balancer with SSL Offload in front of your Exchange CAS servers to do so (Except if E2013 or newer on Server 2012 R2, SNI is an option, also: creating additional Virtual Directories may be an option, but may be difficult to maintain operationally).
This is not recommended.
It is recommended to change the Internal URL for Exchange to be the public hostname, and that Exchange users reference the Public URL at all times, whether they are connected to the internal network or outside the office.
This may require DNS infrastructure changes to fully implement; it will just depend on how that is currently designed for your network.