Link to home
Start Free TrialLog in
Avatar of Borland dBase III Plus
Borland dBase III PlusFlag for Hong Kong

asked on

Certificate issues of Exchange Server

Hi

There is a certificate issue of Exchange Server 2016.

Our internal domain of Active Directory (Windows 2016) name is test.net and the external domain name is aisa.com. 

There are two email domains for some users : @aisa.com and @hkhk.com


98% users default email domain is @asia.com. 2% users default email domain is @hkhk.com and also contain email domain @asia.com 


For example :

Thomas   : thomas@asia.com

Eva : eva@hkhk.com (default email address) and eva@asia.com  (one user mailbox contain two email address)


All internal and external clients (Outlook, Mac Mail, iPhone, Android and OWA) connect Exchange Server using name hkexchange.aisa.com.

Existing certificate of Exchange Server is self-sign with internal CA and the self-sign certificate install on all Exchange servers. Certificate include the following subject name:

ex01.test.net
ex02.test.net
ex03.test.net
hkexchange.aisa.com
autodiscover.aisa.com

hkhk.com

There is one question:
If I want to purchase new certificate for Exchange Server from public, what subject name need to include in the new certificate? 


My friend company is same as my environment, he says only contain subject name hkexchange.aisa.com  and autodiscover.aisa.com. Do not need to contain subject name hkhk.com in new certificate.


However, I ask GoDaddy customer service. They say the new certificate need to contain subject name hkexchange.aisa.com, autodiscover.aisa.com and hkhk.com. I ask what is the subject name of hkhk.com? autodiscover.hkhk.com? They do not know. I worry about the that wrong or missing subject name cause user cannot access Outlook or receive / send email.


I just make a test, I add a new email address thomas@abcde.com and set as my default email address (two email address in mailbox : thomas@abcde.com and thomas@aisa.com). I try to add my email  account on Android mobile and restart my outlook. I can send email to internal users and can receive incoming email. It seems okay. However, after 1 hour, Outlook pop out request me to certificate accept : autodiscover.abcde.com. I have not create this certificate before. It seems there is a problem.


Can anyone help me?


Best Regards,

Thomas   

Avatar of arnold
arnold
Flag of United States of America image

The short answer is that you need to includes all the names that you use to access it.


The certificate deals with covering the connection requests.
you could point
if you are setting up autodiscover

when creating a certficate request you have the Subject primary hostname on the certificate.
then you have teh Subject Alternate Name
DNS=anothername
dns=yetanotherone

whast this achieves is that the same certificate can secure multiple hostnames.

View your existing certificate, then navigate through the Detail tab to get a better understanding.

Since this is an exchange, there are additional functionality options you have to include for the certificate not to be rejected by exchange.


Plan ahead.
you could create in each zone of your domains references to the configration
note @ represents the domain where it is added.
_autodiscover._tcp.@ IN SRV 0 0 443 autodiscover.asia.com.

when added, either user entering their email address, will be lead back to your exchange server for the configuration.
To get the request for a public certificate
https://docs.microsoft.com/en-us/Exchange/architecture/client-access/create-ca-certificate-requests?view=exchserver-2019#:~:text=Create%20a%20New%20Certificate%20Request%20in%20Outlook%201,the%20certificate%2C%20and%20then%20click%20Next.%20See%20More.



Since the Need for multiple hosts will require the use of the more expensive certificate, might as well include more hostnames which you might not use in the end, than too few, and run into issues.

Does your exchange allow IMAP access for those who do not have outlook? async? etc.
ASKER CERTIFIED SOLUTION
Avatar of DEMAN-BARCELO (MVP) Thierry
DEMAN-BARCELO (MVP) Thierry
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
1) Use free https://LetsEncrypt.org certs.

2) Create 1x cert for each Exchange instance.

3) https://www.experts-exchange.com/questions/29178012/Exporting-a-UCC-SSL-to-a-Windows-Apache-Web-Server-and-Configuring-Apache-to-use.html - provides details about initial cert setup + hands-free, auto-renewal of cert forever.