none
Outlook 2010 | Exchange 2003 | Selfsigned SSL certificate

    Question

  • Hello,

    I am not quite sure, maybe this post belongs to the "server- section".

    I am administering the server of a foundation, which offcourse, needs all on low budget. Therefore a selfsigned certificate was used to connect clients with RPC over HTTPS. They are using Exchange 2003, with an ISA2006 server on the perimiter. Al worked fine, till the first Outlook 2010 client connected.
    On the LAN everything works fine, but using RPC over HTTPS does not. The problem is caused by the certificate as it seems. It has the external domain name registrated, but not the autodiscover hostname. Now when opening the Outlookclient, it comes up with the pop-up for credentials, but after that is comes up with the message that the name on the certificate does not match the name of the website. And it points to the autodiscover hostname. After stating "Yes, continue", it just does not connect and the connection remains "disconnected".

    The question: Is there a way to work around this? Can i create a selfsigned Multi Domain SSL? I now i can from EX2007 and Ex2010. Without making any extra costs?

    Thank you in advance.

    Mark

    Thursday, March 24, 2011 12:00 PM

All replies

  • I recommend that you install an enterprise root CA in your domain and issue certificates from it.  Of course, you'll need to import the root certificate into all clients, but if you're using a self-signed certificate then you're already used to doing that.

    By the way, you can get a public UCC certificate from Go Daddy with up to 5 SANs for $216 for three years if you want to avoid all the hassle of importing root certificates.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Thursday, March 24, 2011 3:18 PM
  • Hello Ed,

    Thank you for your reply.
    In fact we are already using an Enterprise Root CA with selfsigned certificates. The question is, if it is possible to create selfsigned multidomain certificates (With 1 SAN, maybe 2).

    Mark

    Thursday, March 24, 2011 5:43 PM
  • Yes.

    Create UC SAN Private CA issued certificate to replace self signed certificate Exchange 2007

    http://exchangeshell.wordpress.com/2009/09/20/create-ucc-san-private-ca-issued-certificate-to-replace-self-signed-certificate-exchange-2007/

    How to create your own selfsigned SSL UCC SAN Certificate to use with Exchange 2007/2010

    http://it-experts.dk/blogs/jjonsson/archive/2010/03/04/how-to-create-your-own-selfsigned-ssl-ucc-san-certificate-to-use-with-exchange-2007-2010.aspx


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com
    Thursday, March 24, 2011 5:53 PM
  • You don't get a self-signed certificate from an enterprise CA.  A self-signed certificate is created by the Exchange server itself without the use of a CA.  What you are issuing are internal CA certificates as opposed to public certificates.

    You can issue a SAN certificate for Exchange 2003.  The following article describes it with a Windows 2008 CA (and they call it self-signed too, even though it's not self-signed as in self-signed by the Exchange server):

    http://it-experts.dk/blogs/jjonsson/archive/2010/03/04/how-to-create-your-own-selfsigned-ssl-ucc-san-certificate-to-use-with-exchange-2007-2010.aspx

    I haven't tried it, but you might be able to use DigiCert's online tool to create the certificate request and then use it with your own CA:

    http://www.digicert.com/csr-creation.htm


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Thursday, March 24, 2011 6:10 PM
  • Ok, thank you for clearing that up. I indeed thought that that was a self signed certificate.
    I have looked for the Online CSr tool from digicert, but it produces the command line for exchange mgmnt shell.
    I also tried to use that code on another Exchange 2010 server, but ofcourse that doesnt work. I am able to process a request with the created CSR, but there is offcourse no private key.

    I also tried creating a wildcard certificate, but then ISA2006 could not resolve the internal servername on the certificate.

    Thursday, March 24, 2011 11:17 PM
  • Make sure you specify that the private key is exportable in the request.  When you get the certificate, you complete the request on the machine where you generated the request and that's what creates the private key.  Then you can export the certificate into a PFX file and import it on other machines, which is necessary if you're doing load-balancing.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Friday, March 25, 2011 1:15 AM
  • Ed,

    On the Exchange 2003 box i cannot use Exch mgmnt shell. Therefore i cannot use the code generated on the digicert website. When i do use this code on another exchange2010 box, just to create the csr, and i proces this in a request on the ex2003 box i still cannot export the private key.

    Friday, March 25, 2011 3:59 PM
  • If you want to host multiple https sites on a single IP using name virtual hosts, then you'll need to use a single certificate due to way SSL works. To make this work you need to either make a wildcard domain, which only works for subdomains of a single domain (e.g. *.mydomain.tld) or set one of the domains as the 'common name' and then the entire list of desired domains in the in the x509v3 extension area.

    If you want to use a 'multiple site' (not a subdomain wildcard certificate) for whatever reason (they are cheaper for a start) then the issuing authority will have an interface for specifying the extra domains. If you want to test out your server configuration first, before potentially wasting a lump of cash on the certificate, then you'll want to do a bit of self signing using openssl.

    However, the alternative names (formally: 'subject alternative name') stuff isn't well documented. Here's what I did:

    Choose a permanent location on disk for your certificates and keys.

    In the example, my domain is '''domain.tld''' and I'm setting up two subdomains: www and www2.

    cd [that location]

    Generate a lovely private key and keep it somewhere safe (safe = private but backed up - if you lose it, you'll have to make a new certificate):

    openssl genrsa -out www.domain.tld.key 1024

    Don't use a passkey - you'll only have to enter it every time you start up Apache.

    Generate a certificate request file:

    openssl req -new -key www.domain.tld.key -out www.domain.tld.csr

    Answer the questions! For 'Common Name' put the first domain name (www.domain.tld). Be careful to make sure all the info is correct.

    Create a extensions config file for the certificate generation (you can throw this away when you're done). This is the important bit for getting the extra domains in. You need to list ALL the domains, since the Common Name you set above is only used in the absence of the subjectAltNames field (I think).

    In www.domain.tld.cnf:

    subjectAltName=DNS:www.domain.tld,DNS:www2.domain.tld

    Then run:

    openssl x509 -req -days 365 \
      -in www.domain.tld.csr \
      -signkey www.domain.tld.key \
      -text \
      -extfile  www.domain.tld.cnf \
      -out www.domain.tld.crt
    Wednesday, December 12, 2012 9:32 PM