Matthew Cioffi
asked on
Certificates for Exchange 2010
Hello everyone,
I'm outside my comfort zone here with certificates. It is not something I have had deal with very often. So I may be asking some very basic questions confuddled by my lack of knowledge.
In Exchange server config there are several certs listed. Some are self-signed TRUE and a couple FALSE. That is confusing as we never purchased anything. They should all be self-signed. I tried to renew one of the certs but it kept asking for the REQ file. I did not have one. The instructions I found on TECHNET did not indicate how to generate this file.
I created a new cert than assigned all the services to it. Outlook is still having issues. Some iPhones seem to be having issues.
So what I would like to do is start clean if possible. Can I shutdown exchange for a short time, remove all certs and create new self-signed certs for internal and external connections? 3rd party for external will be expensive for us. I have been told we need a wildcard, UCC cert, this will be 565 a year if we purchase it for 3 years. That is more than the business owner wants to spend right now. I would prefer getting a 3rd party cert but we have been using the original self signed ones since exchange was configured.
So I need help to make sure Exchange is configured properly, the certs work for mobile devices and for internal exchange. Should we change the external DNS to something else and configure the phones differently? I'm willing to make those changes if it will solve the bulk of our issues.
I understand this is probably a lot or work, but I need to get this all setup correctly so I can figure out if there another issues happening as well.
I'm outside my comfort zone here with certificates. It is not something I have had deal with very often. So I may be asking some very basic questions confuddled by my lack of knowledge.
In Exchange server config there are several certs listed. Some are self-signed TRUE and a couple FALSE. That is confusing as we never purchased anything. They should all be self-signed. I tried to renew one of the certs but it kept asking for the REQ file. I did not have one. The instructions I found on TECHNET did not indicate how to generate this file.
I created a new cert than assigned all the services to it. Outlook is still having issues. Some iPhones seem to be having issues.
So what I would like to do is start clean if possible. Can I shutdown exchange for a short time, remove all certs and create new self-signed certs for internal and external connections? 3rd party for external will be expensive for us. I have been told we need a wildcard, UCC cert, this will be 565 a year if we purchase it for 3 years. That is more than the business owner wants to spend right now. I would prefer getting a 3rd party cert but we have been using the original self signed ones since exchange was configured.
So I need help to make sure Exchange is configured properly, the certs work for mobile devices and for internal exchange. Should we change the external DNS to something else and configure the phones differently? I'm willing to make those changes if it will solve the bulk of our issues.
I understand this is probably a lot or work, but I need to get this all setup correctly so I can figure out if there another issues happening as well.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
-MAS was on the right track, I had additional issues that had to be resolved along the way.
In regards to using a UCC/SAN certificate, this is not *required* for Exchange. You can use a certificate with a single name, you just have to change the way autodiscover's DNS records are configured. Specifically, you can change from using an autodiscover.domain.com record for Autodiscover to using a SRV record. https://acbrownit.com/2012/12/20/internal-dns-and-exchange-autodiscover/ explains why and how to use this. If you use a SRV record, it allows Autodiscover to look up the settings using mail.domain.com instead of autodiscover.domain.com (which is a default). This will result in significantly less work for you, because using a self-signed certificate will result in an error message every time users open Outlook, which can only be removed by installing the Self-Signed Certificate as a Trusted Root Authority certificate on each client computer that connects to Exchange (This is a lot of work, especially if people are allowed to connect using outlook on non-domain computers).