Paul Wagner
asked on
Using Private Domain SSL and Public Domain SSL - Exchange 2010
Hi EE peeps!
So, now that we're no longer allowed to get our private domains SSL certified by GoDaddy, I have run into a problem.
My new certificate with GD secures:
mail.domain.com
autodiscover.domain.com
My internal CA secures:
exchange.domain.local
Users are getting errors saying:
The name on the security certificate is invalid or does not match the name of the site.
This is because users are getting the GD cert since that is the cert bound with IIS and SMTP, but the Outlook profile is configured for exchange.domain.local. I am afraid to give IIS and SMTP to the exchange.domain.local cert because that would give errors to external users, mobile devices, etc., right?
How do I certify internal and external users? Am I asking the right question(s)?
Should I just change the internal names to the external?
https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
So, now that we're no longer allowed to get our private domains SSL certified by GoDaddy, I have run into a problem.
My new certificate with GD secures:
mail.domain.com
autodiscover.domain.com
My internal CA secures:
exchange.domain.local
Users are getting errors saying:
The name on the security certificate is invalid or does not match the name of the site.
This is because users are getting the GD cert since that is the cert bound with IIS and SMTP, but the Outlook profile is configured for exchange.domain.local. I am afraid to give IIS and SMTP to the exchange.domain.local cert because that would give errors to external users, mobile devices, etc., right?
How do I certify internal and external users? Am I asking the right question(s)?
Should I just change the internal names to the external?
https://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did you create a new Forward Lookup Zone which matches mydomain.com? You need to have this in place and then point mail.mydomain.com and autodiscover.mydomain.com to your internal IP address of your CAS server.
Will.
Will.
ASKER
Yes, that is already happening. From the intranet, when I ping mail and autodiscover, it goes to the internal IP of Exchange.
ASKER
What are the impacts to users by doing this? They will have to rebuild their Outlook profile?
Good article, btw.