locked
Questions on Exchange 2010 & Wildcard SSL Certs RRS feed

  • Question

  • Hi all,

    I am currently testing Exchange 2010 and I have two questions regarding SSL Certs.  For this example lets say the domain my company uses is domain.com.  We currently have a wildcard SSL cert for *.domain.com.  For my test-bed Exchange 2010 setup, I made a subdomain called test.domain.com, our CAS server is called owa.test.domain.com

    1.  When importing our wildcard cert into the CAS server and assigning it to POP, IMAP, and IIS, it failed on both POP and IMAP because it said "The subject is not a FQDN."  Can you not use wildcard certs for POP and IMAP?

    2.  Even though it worked for IIS, you still get the un-trusted site warning when you try to connect to it over the web.  Viewing the Technical Details says:

    owa.test.domain.com uses an invalid security certificate. The certificate is only valid for the following names: *.domain.com, domain.com (Error code: ssl_error_bad_cert_domain)

    Is this because I used the subdomain 'test' for the domain domain.com?  Would it have worked if I would have used owa.domain.com?

     


    Sunday, June 5, 2011 4:22 PM

Answers

  • Hi,

     

    There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration. Before you continue, read Understanding TLS Certificates.


    Don't use the Enable-ExchangeCertificate cmdlet to enable a wildcard certificate for POP and IMAP services. To enable a wildcard certificate, you must use the Set-ImapSettings or Set-PopSettings cmdlets with the fully qualified domain name (FQDN) of the service.


    For the detailed information, please refer to the following link:

     

    Title: Enable-ExchangeCertificate

    URL: http://technet.microsoft.com/en-us/library/aa997231.aspx

     

    Yes, from your description, I understand that the wildcard certificate is issued to *.domain.com. Towards the owa.test.domain.com, the wildcard certificate will come up with the message that only vaild for the following names: *.domain.com. I suggest that you need to remove the sub domain ‘test’ for the domain domain.com. And it will work if you used owa.domain.com.

     

    Thx,

    James


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, June 7, 2011 9:07 AM

All replies

  • As far as SSL certificates are concerned, host.sub.example.com is not covered by a wildcard certificate for *.example.com. If you wanted to use a wildcard certificate then you would need one for *.sub.example.com, or even *.*.example.com, if anyone issues those (I don't think so). Therefore you problem is that you are too many sub domains for the certificate. Not an Exchange issue at all, but how SSL certificates are treated.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Sunday, June 5, 2011 10:36 PM
  • Hi,

     

    There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration. Before you continue, read Understanding TLS Certificates.


    Don't use the Enable-ExchangeCertificate cmdlet to enable a wildcard certificate for POP and IMAP services. To enable a wildcard certificate, you must use the Set-ImapSettings or Set-PopSettings cmdlets with the fully qualified domain name (FQDN) of the service.


    For the detailed information, please refer to the following link:

     

    Title: Enable-ExchangeCertificate

    URL: http://technet.microsoft.com/en-us/library/aa997231.aspx

     

    Yes, from your description, I understand that the wildcard certificate is issued to *.domain.com. Towards the owa.test.domain.com, the wildcard certificate will come up with the message that only vaild for the following names: *.domain.com. I suggest that you need to remove the sub domain ‘test’ for the domain domain.com. And it will work if you used owa.domain.com.

     

    Thx,

    James


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, June 7, 2011 9:07 AM
  • So could you issue a cert with *.example.com (that would cover any-sub-domain.example.com) along with a Subject Alternative Name (SAN) for dns=*.web.example.com? this way, you would cover all first-level sub-domains of example.com, and also all sub domains of web.example.com. Would this work as I described?
    Tuesday, August 16, 2011 5:48 PM
  • CA's (for which I belong to ssl.com) cannot issue wildcards above the subdomain level so *.web.example.com will not suffice. You can embed wildcards in the UC certificate however - http://www.ssl.com/certificates/ucc

    Also be sure to try SSLTools Manager for Windows - http://www.ssltools.com/manager - for an intuitive graphic tool to help manage your ssl certificates on Windows servers. Works great for Exchange, OWA, IIS, etc. or in any enterprise environment. No more command prompts or certificate snap-ins.

    Monday, January 7, 2013 6:38 PM