Exchange Certificates

We need to Renew Our Exchange Certificate and need advice on the following, the Domain is a .local, and I have heard that they are Phasing out Intranet Names with SAN Certs.

The server is a 2012 R2 Server, can anybody tell me what it is I need to do as our Cert Runs out on the 1st of November which is when I believe the phasing out begins

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Miguel Angel Perez MuñozCommented:
You need to configure your CAS with external hostname and setup split dns to "acomodate" resolution as your requirements:
Then, only need to request certificate with external hostname, that works inside and outside connections.
Amish SanghrajkaCommented:
Hi John,

There is an alternative to implementing split DNS and that is to set the internal hostname used by clients to be the same as the the external hostname. You can then get a certificate for your external URL. All clients, both external and internal will then resolve using the external hostname and therefore be covered under the SLL certificate.

If you can let me know which version of Exchange Server you are running I can give you more detailed instructions.

Kind regards,

pepps11976Author Commented:
I am Running exchange server 2103

so you do not need to add the Server name to the certificate then?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Amish SanghrajkaCommented:
Hi John,

You would only have to add the external hostname on the certificate. However, I would also strongly suggest an additional SAN to cover Autodiscover.

This link provides thorough instructions on changing the internal and external URLs:

You will then need to create a CSR from Exchange Admin Center for your external hostname and autodiscover.

For example:
External Hostname:
Additional SAN:

Let me know if you have any further questions regarding this set up.

Kind regards,

Miguel Angel Perez MuñozCommented:
Using external hostname on inside could cause firewall connections problems. Some firewalls not allow connections from inside to inside using outside interface (loop from inside to inside).

Ensure your network policy lets this configuration.
pepps11976Author Commented:
Ok Guys I have the following in my San Cert

The certificate is issued to

and I have the following Subject Alternate Names included

Mail  = the name of the server
Hosting.domain.local is the domain name

whenever I have manually setup the clients in the past I have always had to add the server name  "mail" but I will not be able to add that as it is inernal ie: mail.domain.local

pepps11976Author Commented:
Can I also ask why I would need an additional Cert for Auto discover, could I not just add it to the SAN Alternate name as above
Miguel Angel Perez MuñozCommented:
Why you need those alternates names? Exchange only requires autodiscover and if you wish something like webmail and mail. Optionally you can ask for wilcard certificates, with only one name: * to secure your exchange and whatever you want.
Jeff GloverSr. Systems AdministratorCommented:
Your Certificate just needs to drop the .local names. Then you need to update the Internal URLs for your virtual servers to the same as the external name. You already have in the cert so you are fine there. You just need to set the Autodiscover Internal URI to use that instead of the .local name. Lastly, you do need Split brain DNS. You need to make a copy of your external domain and host it internally. It can be an AD integrated zone or a standard primary depending on your setup. Make sure any externally hosted sites are included in the zone so your internal clients can get to them. Otherwise, your internal clients will try to use the external address and that leads to hair-pining a firewall which almost never works.  Set the internal zone Webmail and autodiscover records to use the internal IPs of your exchange server or Load balancer VIP.
  You can also get a wildcard cert. It works with Exchange. You would need to look at the cost of each. It can be a benefit if you have other sites hosted with your external domain name. (except Lync/Skype for Business. They do not like Wildcards)
  And your new cert really only needs and in it unless you are securing SMTP or have separate URLs for POP3 and IMAP.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Amish SanghrajkaCommented:
lvjeff is right. Looking into this further you will need to have split brain DNS to avoid issues with internal clients resolving to the server after you change the internal URIs on Exchange.
pepps11976Author Commented:
So split DNS meaning forward lookup zones to point internal clients to the external names so there are no Cert Issues?
Amish SanghrajkaCommented:
You can create new zones for and and then create a new A record in each for the root to point to the local IP for your exchange server. This saves you from having to create a zone for and adding host records for externally hosted sites.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.