End of Life for *.Local SSL Certificates

Our Mail SSL certificate is up for renewal. It's a UCC for up to 5 domain names. This includes the internal & external domain names.

Our internal domain name is (domain-name).local
Apparently all the SSL providers around the world are no longer supporting *.local names, so as a result, our internal users are going to be prompted with errors in MS Outlook all the time about the SSL being out of date.

Does this mean we have to change our Internal domain name before we can re-renew the UCC SSL Certificate?
Obviously that would be opening up the biggest can of worms, so would prefer to look at workarounds. This internal domain will be decommissioned within the next 12 months (merging into another companies domain). So if there is a workaround, that would be the best option for us.
HowzattAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Amit KumarCommented:
You just apply your certificates with external domain and change internal DNS to pointed to .local URLs to external domain's URL. It will not prompt for Certificate warning then.

You will have to keep Internal and External URLs with only External domain on all CAS (OWA/ECP/Autodiscover/ActiveSync)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MysidiaCommented:
You don't have to change the name of your internal AD forest,  But if your users access Exchange by using an internal domain name,  then you will have to change that.

Well, actually you'll have two options:

* Change the URL your internal users utilize to access Exchange to a public domain name whose owner will authorize the SSL cert.     The internalURL and all references to the  .Local  URL  in the Virtual Directories' configured on Exchange need to change to reference the public hostname.

Or...

* Stop using certs from a public CA with your Exchange servers.    You can create an internal CA using Windows certificate services.

Then to provide access to your Exchange server externally,  you can use a certificate from a Public CA to do so,   But  you may require a Load Balancer with SSL Offload  in front of your Exchange CAS servers to do so  (Except if E2013 or newer on Server 2012 R2, SNI is an option,  also:    creating additional Virtual Directories may be an option,  but may be difficult to maintain operationally).


This is not recommended.


It is recommended to change the Internal URL for Exchange to be the public hostname,  and that  Exchange users reference the Public URL at all times,   whether they are connected to the internal network or  outside the office.

This may require DNS infrastructure changes to fully implement;  it will just depend on how that is currently designed for your network.
gheistCommented:
You can make your enterprise private CA and sign .local .onion and any domain you want.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.