none
Buy san certificate

    Question

  • I have new implementation for new exchange server 2010 certificate , could
    you please advise me according the below scenario .



    I have 2( hub+cas) server behind  hardware load balancer

    external name : email.mydomain.com

    internal

    Hubcas1.mylocal.local

    Hubcas2.mylocal.local



    2 mailbox server with dag

    Mbx1.mylocal.local

    Mbx2.mylocal.local



    My external domain = mydomain.com

    Also I enabled autodiscover.mydomain.com



    Note our internal domain = mylocal.local

    My external domain=mydomain.com


    what the names should be included to my certificated according this scenario .

    thnx


    MCP MCSA MCSE MCT MCTS CCNA

    Sunday, August 04, 2013 8:53 AM

Answers

  • Buy a certificate with *.domainname.com and change the client access server urls like OWA, EWS, EAS to point to email.domainname.com

    Also create an A record named "email" and point it to your CAS NLB IP address, so that internal clients connect directly to your servers and there wont be any certificate prompt as mentioned here..

    http://support.microsoft.com/kb/940726/en-us

    Sunday, August 04, 2013 9:39 AM
  • Hi,

     

    As what Raijkumar-MCITP says, make sure you include the all the internal exchange server name FQDN and buy a SAN cert for your external access.

    For your scenario, you can see the example of TOM in the following article:

        http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

     

    Additionally,  there is another method to avoid charging you so much money for this SAN cert thing. Your internal namespace differs from the external namespace, and if you cannot use a certificate that supports Subject Alternative Names, we can try the following steps:

     1. Change the URLs for the appropriate Exchange 2010 components:

        http://support.microsoft.com/kb/940726/en-us

     2. Buy a SAN cert using the following cmdlet:

          New-Exchangecertificate -domainname email.mydomain.com, autodiscover.mydomain.com  -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true –subjectname "c=US o=contoso inc, CN=servername.mydomain.com"

     3. Import the certificates and assign services to them.

     4. restart IIS service by running iisreset /noforce from a command prompt window.

    Hope it can help you.

    Thanks



    Monday, August 05, 2013 2:06 PM

All replies

  • The certificate should always contain all dns names used by users (or devices) to connect to your service.


    MCP/MCSA/MCTS/MCITP

    Sunday, August 04, 2013 9:30 AM
  • Buy a certificate with *.domainname.com and change the client access server urls like OWA, EWS, EAS to point to email.domainname.com

    Also create an A record named "email" and point it to your CAS NLB IP address, so that internal clients connect directly to your servers and there wont be any certificate prompt as mentioned here..

    http://support.microsoft.com/kb/940726/en-us

    Sunday, August 04, 2013 9:39 AM
  • I agree with you , you meaning to buy wildcard certificate to avoid  buying san certificate .

    anyway in case of buy wildcard or san certificate , should i put the names for internal domain and hub+cas names

    mylocal.local,Hubcas1.mylocal.local,Hubcas2.mylocal.local ?????

    I am sure the certificate must have these names email.mylocal.local , mylocal.local 

    But i am not sure for  Hubcas1.mylocal.local,Hubcas2.mylocal.local

    need help


    MCP MCSA MCSE MCT MCTS CCNA

    Sunday, August 04, 2013 10:01 AM
  • for a wildcard cert, no need to put all the names in the certificate, buy a wildcard cert -> you need a internal host a record and -> all the client access server urls to be changed as https://email.domainname.com/whatevertheurl

    If you are buying a SAN cert, make sure you include the all the internal exchange server name FQDN and the email.domainname.com (and the names u used for external access)

    Sunday, August 04, 2013 6:46 PM
  • for a wildcard cert, no need to put all the names in the certificate, buy a wildcard cert -> you need a internal host a record and -> all the client access server urls to be changed as https://email.domainname.com/whatevertheurl

    If you are buying a SAN cert, make sure you include the all the internal exchange server name FQDN and the email.domainname.com (and the names u used for external access)

    The question : should i put DNS names for Hubcas1.mylocal.local , Hubcas2.mylocal.local ?why?


    Thnx


    MCP MCSA MCSE MCT MCTS CCNA

    Sunday, August 04, 2013 8:41 PM
  • Hi,

     

    As what Raijkumar-MCITP says, make sure you include the all the internal exchange server name FQDN and buy a SAN cert for your external access.

    For your scenario, you can see the example of TOM in the following article:

        http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

     

    Additionally,  there is another method to avoid charging you so much money for this SAN cert thing. Your internal namespace differs from the external namespace, and if you cannot use a certificate that supports Subject Alternative Names, we can try the following steps:

     1. Change the URLs for the appropriate Exchange 2010 components:

        http://support.microsoft.com/kb/940726/en-us

     2. Buy a SAN cert using the following cmdlet:

          New-Exchangecertificate -domainname email.mydomain.com, autodiscover.mydomain.com  -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true –subjectname "c=US o=contoso inc, CN=servername.mydomain.com"

     3. Import the certificates and assign services to them.

     4. restart IIS service by running iisreset /noforce from a command prompt window.

    Hope it can help you.

    Thanks



    Monday, August 05, 2013 2:06 PM

  • Additionally,  there is another method to avoid charging you so much money for this SAN cert thing. Your internal namespace differs from the external namespace, and if you cannot use a certificate that supports Subject Alternative Names, we can try the following steps:

     1. Change the URLs for the appropriate Exchange 2010 components:

        http://support.microsoft.com/kb/940726/en-us

     2. Buy a SAN cert using the following cmdlet:

          New-Exchangecertificate -domainname email.mydomain.com, autodiscover.mydomain.com  -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true –subjectname "c=US o=contoso inc, CN=servername.mydomain.com"

     3. Import the certificates and assign services to them.

     4. restart IIS service by running iisreset /noforce from a command prompt window.

    Hope it can help you.

    Thanks



    Regarding to this scenario , i will changed all internal links and external links to be the same (owa ,ews ,sync ,Eas )

    Then i will buy san certificates contain these names :

    email.mydomain.com

    autodiscover.mydomain.com

    what bout the names for my localdomain names :

    mydomain.local

    hubcas1.mydomain.local

    hubcas2.mydomain.local

    should i ignore these names ?

    ??????


    MCP MCSA MCSE MCT MCTS CCNA

    Wednesday, August 07, 2013 6:17 PM
  • what bout the names for my localdomain names :

    mydomain.local

    hubcas1.mydomain.local

    hubcas2.mydomain.local

    should i ignore these names ?

    ?????

    They are not necessary.
    Thursday, August 08, 2013 11:37 AM
  • Thanks fro all .

    Now it is clear .


    MCP MCSA MCSE MCT MCTS CCNA

    Thursday, August 08, 2013 5:23 PM