locked
Netbios names on exchange certificates RRS feed

  • Question

  • Hi, 

    Is it not best practice to include the server netbios name in the SAN on the Exch 2013 SSL cert? Also is it even supported as I see some suggestions that netbios names on exchange certs is not often supported by online certificate authorities.

    Thanks 

    Wednesday, January 15, 2014 9:21 AM

Answers

  • Hello,

    Since the certificate SAN name can be seen by public. If any security issues are not cared, it’s fine to add it to the SAN name.

    More information and best practices for Exchange Certificate in:

    Digital Certificates and SSL

    http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx

    Thanks,

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnsfl@microsoft.com


    Simon Wu
    TechNet Community Support

    Thursday, January 16, 2014 7:23 AM

All replies

  • Hello,

    Since the certificate SAN name can be seen by public. If any security issues are not cared, it’s fine to add it to the SAN name.

    More information and best practices for Exchange Certificate in:

    Digital Certificates and SSL

    http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx

    Thanks,

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnsfl@microsoft.com


    Simon Wu
    TechNet Community Support

    Thursday, January 16, 2014 7:23 AM
  • According to BR v1, you should avoid using internal server names - ex. NetBIOS names, in the SAN or CN fields of the certificate. If you are using only public FQDN, you need to configure Split-Brain DNS or PinPoint DNS zones which will resolve these FQDn to the internal servers' IP addresses for the local users.

    ===================================================

    Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, Version 1.0
    BR 1.0 - Adopted by CA/Browser Forum (includes over 30 CA members and major browser vendors: Microsoft, Apple, Mozilla, Google, Opera)
    Effective as of July 1, 2012

    • CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a SAN or Subject Common Name field containing a Reserved IP Address or Internal Server Name.

    • Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose SAN or Subject Common Name field contains a Reserved IP Address or Internal Server Name.
    ===================================================



    Thursday, January 16, 2014 4:33 PM
  • Hello,

    Is there any update on this thread?

    Thanks,

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnsfl@microsoft.com


    Simon Wu
    TechNet Community Support

    Monday, January 20, 2014 9:41 AM