locked
Exchange 2007 SSL Certificate Renewal with local domain name RRS feed

  • Question

  • Hello,

     Digicert contacted me to let me know that my SSL Certificate for our Exchange 2007 server is expiriing becuase it has a local domain name in it. Is there any reason why this cert would have a local name it?

    Thanks,

    Derek

    Wednesday, August 26, 2015 12:24 PM

Answers

  • You need to setup a split DNS so the external name resolves internally, then reconfigure all of the URLs to use the external name for both internal and external traffic. If you are seeing some internal names on the results of that command above, then I would presume that you have the configuration wrong throughout.

    I have instructions on what to change here: http://semb.ee/hostnames2007

    The Autodiscover Virtual Directory should not be changed from the default because the URLs are not used. Autodiscover is a hard coded set of URLs for external traffic, and internal traffic get the URL from the domain (which is configured via set-clientaccessserver).

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Proposed as answer by David Wang_ Thursday, August 27, 2015 1:38 AM
    • Marked as answer by DRUSSQAC Thursday, August 27, 2015 5:45 PM
    Wednesday, August 26, 2015 5:03 PM
  • import-exchangecertificate c:\ssl\nameoffile.crt

    get-exchangecertificate

    enable-exchangecertificate -thumbprint XXXX -services iis, pop, imap, SMTP

    (where XXXX is the thumbprint you see from get-exchangecertificate)

    The URLs do matter. If you have it set to server.domain.local, and an internal client browses to host.example.com, then Exchange will correct the address to server.domain.local.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Marked as answer by DRUSSQAC Thursday, August 27, 2015 5:45 PM
    Wednesday, August 26, 2015 7:08 PM

All replies

  • Probably because the person requesting the certificate added it to the list of subject alternate names.

    There is no reason to have the local domain name on the certificate but if you remove it, you may have to adjust your Exchange client access urls to reflect this change (replace them with the registered domain name of the organization, for example). 


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Wednesday, August 26, 2015 2:27 PM
  • In fact, here's a summary of what you may need to change:

    https://social.technet.microsoft.com/Forums/exchange/en-US/f70e57e6-50de-433c-bdaa-004aeef36dd5/exchange-certificate-renewalupgrade-and-local-domain?forum=exchangesvrgeneral

    Of course, if you do not use Outlook Anywhere, etc., then no need to worry about that.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Wednesday, August 26, 2015 2:29 PM
  • Hi David,

     Thank you for the response. Is there a PS command to show the current URL's for them? Also we don't use Outlook anywhere.

    Wednesday, August 26, 2015 3:41 PM
  • get-AutodiscoverVirtualDirectory
    get-ClientAccessServer
    get-webservicesvirtualdirectory
    get-oabvirtualdirectory
    get-owavirtualdirectory
    get-ecpvirtualdirectory
    get-ActiveSyncVirtualDirectory

    are these what I would need to run? Some of them only had the internal URL.

    Wednesday, August 26, 2015 4:39 PM
  • You need to setup a split DNS so the external name resolves internally, then reconfigure all of the URLs to use the external name for both internal and external traffic. If you are seeing some internal names on the results of that command above, then I would presume that you have the configuration wrong throughout.

    I have instructions on what to change here: http://semb.ee/hostnames2007

    The Autodiscover Virtual Directory should not be changed from the default because the URLs are not used. Autodiscover is a hard coded set of URLs for external traffic, and internal traffic get the URL from the domain (which is configured via set-clientaccessserver).

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Proposed as answer by David Wang_ Thursday, August 27, 2015 1:38 AM
    • Marked as answer by DRUSSQAC Thursday, August 27, 2015 5:45 PM
    Wednesday, August 26, 2015 5:03 PM
  • So I ran get-AutodiscoverVirtualDirectory,get-webservicesvirtualdirectory and get-owavirtualdirectory  this it what it showed me.

    Name                            : Autodiscover (Default Web Site)
    InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
    ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
    BasicAuthentication             : True
    DigestAuthentication            : False
    WindowsAuthentication           : True
    MetabasePath                    : IIS://Server.domain-SAV.local/W3SVC/1/ROOT/Autodiscover
    Path                            : C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodiscover
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags         : {}
    ExtendedProtectionSPNList       : {}
    Server                          : Server
    InternalUrl                     :
    ExternalUrl                     : https://mail.domain.org/autodiscover/autodiscover.xml
    AdminDisplayName                :
    ExchangeVersion                 : 0.1 (8.0.535.0)
    DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=SERVER,CN=Servers,CN=Exchange A
                                      dministrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=QAC,CN=Microsoft Exchange,CN=
                                      Services,CN=Configuration,DC=Domain,DC=local
    Identity                        : Server\Autodiscover (Default Web Site)
    Guid                            : aaa3d2ad-dab6-4159-b145-51964cf58974
    ObjectCategory                  : Domain.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
    ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
    WhenChanged                     : 2/28/2011 4:10:46 PM
    WhenCreated                     : 8/3/2010 12:31:50 PM
    OriginatingServer               : DC.Domain-sav.local
    IsValid                         : True
    nternalNLBBypassUrl            : https://Server.domain-sav.local/EWS/Exchange.asmx
    Name                            : EWS (Default Web Site)
    InternalAuthenticationMethods   : {Ntlm, WindowsIntegrated}
    ExternalAuthenticationMethods   : {Ntlm, WindowsIntegrated}
    BasicAuthentication             : False
    DigestAuthentication            : False
    WindowsAuthentication           : True
    MetabasePath                    : IIS://server.domain-sav.local/W3SVC/1/ROOT/EWS
    Path                            : C:\Program Files\Microsoft\Exchange Server\ClientAccess\exchweb\EWS
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags         : {}
    ExtendedProtectionSPNList       : {}
    Server                          : Server
    InternalUrl                     : https://server.domain-sav.local/EWS/Exchange.asmx
    ExternalUrl                     :
    AdminDisplayName                :
    ExchangeVersion                 : 0.1 (8.0.535.0)
    DistinguishedName               : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=Server,CN=Servers,CN=Exchange Administra
                                      tive Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=SAV,CN=Microsoft Exchange,CN=Services,
                                      CN=Configuration,DC=Domain-SAV,DC=local
    Identity                        : SERVER\EWS (Default Web Site)
    Guid                            : aee7fbe7-7c02-4e6c-b34f-afe407142d5d
    ObjectCategory                  : Domain-SAV.local/Configuration/Schema/ms-Exch-Web-Services-Virtual-Directory
    ObjectClass                     : {top, msExchVirtualDirectory, msExchWebServicesVirtualDirectory}
    WhenChanged                     : 1/9/2012 1:03:51 PM
    WhenCreated                     : 1/9/2012 1:03:36 PM
    OriginatingServer               : DC.Domain-SAV.local
    IsValid                         : True

    ExtendedProtectionTokenChecking                     : None

    ExtendedProtectionFlags                             : {}

    ExtendedProtectionSPNList                           : {}

    Server                                              : Server

    InternalUrl                                         : https://Server.domain-SRV.local/owa

    ExternalUrl                                         : https://mail.domain.org/owa

    ExternalAuthenticationMethods                       : {Fba}

    AdminDisplayName                                    :

    ExchangeVersion                                     : 0.1 (8.0.535.0)

    DistinguishedName                                   : CN=owa (Default Web Site),CN=HTTP,CN=Protocols,CN=Server,CN=Servers,CN

                                                          =Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,C

                                                          N=SAV,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain-SAV,DC=

                                                          local

    Identity                                            : Server\owa (Default Web Site)

    Guid                                                : 68bd389d-4f98-4e46-967a-5050944d2bf6

    ObjectCategory                                      : Domain-SAV.local/Configuration/Schema/ms-Exch-OWA-Virtual-Directory

    ObjectClass                                         : {top, msExchVirtualDirectory, msExchOWAVirtualDirectory}

    WhenChanged                                         : 4/29/2011 6:51:37 PM

    WhenCreated                                         : 8/3/2010 12:31:44 PM

    OriginatingServer                                   : DC.Domain-SAV.local

    IsValid                                             : True

    Wednesday, August 26, 2015 5:36 PM
  • The URL values on the Autodiscover Virtual Directory should be null.

    The OWA virtual directory should be using the same URL internally and externally.

    I expect you would find other URLs have also not changed correctly.

    Use the script on the web page I have linked to above - that will change everything for you.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Wednesday, August 26, 2015 5:54 PM
  • Let me ask a question though. If the clients using OWA are linked to mail.domain.org/owa and not FQDN of the server does it really matter?

    Wednesday, August 26, 2015 6:12 PM
  • it looks like digicert has a tool to do this also.

    So it looks like your blog doesn't go into detail on how to import the new SSL cert. Would this be ideal to follow?

    https://www.digicert.com/ssl-certificate-installation-microsoft-unified-communications.htm

    Wednesday, August 26, 2015 6:47 PM
  • import-exchangecertificate c:\ssl\nameoffile.crt

    get-exchangecertificate

    enable-exchangecertificate -thumbprint XXXX -services iis, pop, imap, SMTP

    (where XXXX is the thumbprint you see from get-exchangecertificate)

    The URLs do matter. If you have it set to server.domain.local, and an internal client browses to host.example.com, then Exchange will correct the address to server.domain.local.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    • Marked as answer by DRUSSQAC Thursday, August 27, 2015 5:45 PM
    Wednesday, August 26, 2015 7:08 PM
  • got it. I already have internal  dns setup for mail.domain.org but it would still use the FQDN of the server? I am just trying to understand how it works.

    Thanks Simon

    Wednesday, August 26, 2015 8:53 PM
  • Exchange has no knowledge of the URLs on the internal DNS or SSL certificate, that is why you have to configure it within Exchange.

    Therefore to ensure that the end users do not get prompts, change all URLs to match the SSL certificate.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Wednesday, August 26, 2015 9:56 PM
  • Hi,

    For now, .local cannot be used on public certificate, we can configure split-DNS to host internal DNS zone for mail.domain.com. Then we can change all VD, autodiscover and etc to mail.domain.com.

    Here's an similar thread about your question, for your reference:

    https://social.technet.microsoft.com/Forums/office/en-US/80055b41-9bb4-4f33-9693-41a16230b243/reconfigure-exchange-2010-to-use-the-fqdn?forum=exchangesvrunifiedmessaging    

    Regards,

    David 




    • Edited by David Wang_ Friday, November 27, 2015 2:15 AM
    Thursday, August 27, 2015 1:43 AM
  • Reconfigure Outlook profile? Would this need to be done on everyone's Outlook in the organization? This is the first I've heard of this.
    Thursday, August 27, 2015 11:48 AM
  • I have to agree - a change of the virtual directory configuration should not require a reconfiguration of the Outlook profile. If you make the changes then they should be picked up by Autodiscover.

    Make the change before you change the SSL certificate and it should be transparent - as the clients will get and start using the new configuration, then you can change the SSL certificate.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Thursday, August 27, 2015 9:40 PM
  • Hi Simon,

    I notice in your blog you require Outlook 2007 or above. I suppose this means that Outlook 2003 clients will no longer work after this change?

    Thanks,

    Derek

    Tuesday, September 1, 2015 3:33 PM
  • Hi Simon,

    I notice in your blog you require Outlook 2007 or above. I suppose this means that Outlook 2003 clients will no longer work after this change?

    Thanks,

    Derek

    Outlook 2003 doesn't connect to Exchange via web services - so would be completely unaffected by changes to the virtual directory configurations.

    The only thing that Outlook 2003 does with web services is RPC over HTTPS (Outlook Anywhere in later versions). The requires manual configuration though - as Outlook 2003 doesn't know about Autodiscover.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Friday, September 4, 2015 4:27 PM
  • Hi Simon,

     So i made the changes about 12 hours ago and my outlook client is still showing the local server name.

     i tried to create a new mail profile and put mail.domain.org in the server name and it changed it to the local server name. Any ideas?

    Saturday, September 19, 2015 11:16 AM
  • Hi Simon,

     So i made the changes about 12 hours ago and my outlook client is still showing the local server name.

     i tried to create a new mail profile and put mail.domain.org in the server name and it changed it to the local server name. Any ideas?

    That is the expected behaviour. The server name within Outlook will always be the server's real name. You cannot change that behaviour. However it has no effect on SSL operations because Outlook does not connect to that address using HTTPS.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Monday, September 21, 2015 11:53 AM