Avatar of Borland dBase III Plus
Borland dBase III PlusFlag for Hong Kong asked on

Certificate issues of Exchange Server

Hi

There is a certificate issue of Exchange Server 2016.

Our internal domain of Active Directory (Windows 2016) name is test.net and the external domain name is aisa.com. 

There are two email domains for some users : @aisa.com and @hkhk.com


98% users default email domain is @asia.com. 2% users default email domain is @hkhk.com and also contain email domain @asia.com 


For example :

Thomas   : thomas@asia.com

Eva : eva@hkhk.com (default email address) and eva@asia.com  (one user mailbox contain two email address)


All internal and external clients (Outlook, Mac Mail, iPhone, Android and OWA) connect Exchange Server using name hkexchange.aisa.com.

Existing certificate of Exchange Server is self-sign with internal CA and the self-sign certificate install on all Exchange servers. Certificate include the following subject name:

ex01.test.net
ex02.test.net
ex03.test.net
hkexchange.aisa.com
autodiscover.aisa.com

hkhk.com

There is one question:
If I want to purchase new certificate for Exchange Server from public, what subject name need to include in the new certificate? 


My friend company is same as my environment, he says only contain subject name hkexchange.aisa.com  and autodiscover.aisa.com. Do not need to contain subject name hkhk.com in new certificate.


However, I ask GoDaddy customer service. They say the new certificate need to contain subject name hkexchange.aisa.com, autodiscover.aisa.com and hkhk.com. I ask what is the subject name of hkhk.com? autodiscover.hkhk.com? They do not know. I worry about the that wrong or missing subject name cause user cannot access Outlook or receive / send email.


I just make a test, I add a new email address thomas@abcde.com and set as my default email address (two email address in mailbox : thomas@abcde.com and thomas@aisa.com). I try to add my email  account on Android mobile and restart my outlook. I can send email to internal users and can receive incoming email. It seems okay. However, after 1 hour, Outlook pop out request me to certificate accept : autodiscover.abcde.com. I have not create this certificate before. It seems there is a problem.


Can anyone help me?


Best Regards,

Thomas   

ExchangeActive DirectoryWindows OS

Avatar of undefined
Last Comment
David Favor

8/22/2022 - Mon
arnold

The short answer is that you need to includes all the names that you use to access it.


The certificate deals with covering the connection requests.
you could point
if you are setting up autodiscover

when creating a certficate request you have the Subject primary hostname on the certificate.
then you have teh Subject Alternate Name
DNS=anothername
dns=yetanotherone

whast this achieves is that the same certificate can secure multiple hostnames.

View your existing certificate, then navigate through the Detail tab to get a better understanding.

Since this is an exchange, there are additional functionality options you have to include for the certificate not to be rejected by exchange.


Plan ahead.
you could create in each zone of your domains references to the configration
note @ represents the domain where it is added.
_autodiscover._tcp.@ IN SRV 0 0 443 autodiscover.asia.com.

when added, either user entering their email address, will be lead back to your exchange server for the configuration.
To get the request for a public certificate
https://docs.microsoft.com/en-us/Exchange/architecture/client-access/create-ca-certificate-requests?view=exchserver-2019#:~:text=Create%20a%20New%20Certificate%20Request%20in%20Outlook%201,the%20certificate%2C%20and%20then%20click%20Next.%20See%20More.



Since the Need for multiple hosts will require the use of the more expensive certificate, might as well include more hostnames which you might not use in the end, than too few, and run into issues.

Does your exchange allow IMAP access for those who do not have outlook? async? etc.
ASKER CERTIFIED SOLUTION
DEMAN-BARCELO (MVP) Thierry

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
David Favor

1) Use free https://LetsEncrypt.org certs.

2) Create 1x cert for each Exchange instance.

3) https://www.experts-exchange.com/questions/29178012/Exporting-a-UCC-SSL-to-a-Windows-Apache-Web-Server-and-Configuring-Apache-to-use.html - provides details about initial cert setup + hands-free, auto-renewal of cert forever.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy