locked
Certificates with FQDN name issue - public / internal name differences.. RRS feed

  • Question

  • Hi

    I have an issue with a 2010 server.  I'll use a couple of sample domain name to outline my issue:

    Lets say our public domain name is abc.com, so our mail is accessed via mail.abc.com 

    Our internal domain name is xyz.com (not .local), so servernames are server1.xyz.com, server2.xyz.com, etc.

    So I created a SAN cert via godaddy which included mail.abc.com, autodiscover.abc.com, legacy.abc.com.  Installed the cert, no problems.  Tested connetviety using the remote tool, no problem. Can access OWA without the security warning. 

    Unfortunately there are some issues that were discovered later.  Numerous sync errors, and issues with out of  office on Windows 7 clients.  We did some troubleshooting and I was told to add the FQDN name to the cert.  Lets say the servername is mail1.xyz.com.  I tried adding this to the godaddy cert, but unfortunately it is impossible since xyz.com is a public domain name that has nothing to do with out company (we are using it internally only).

    So I'm stuck with this issue.  Godaddy said I can use internal names such as xyz.local, but our internal domain is .com so I don't know how to add the FQDN to the cert. 

    Any suggestions?

    Thanks.


    Mike V
    Monday, September 26, 2011 7:55 PM

Answers

  • Hi Rich,

    A Exchange server can only install one certificate; besides, aself-certificate is not supported by Outlook Anywhere, it might not suitable for Mike.

    @Mike,

    You may troubleshoot this issue via one of the following method:

    1. Purchase another Certificate that contains all names. Please refer to "Planning your organization's namespace" at http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx.
    2. Change the internal DNS record and the web-based service urls to match the existing certificate. for details, see http://support.microsoft.com/kb/940726.

    Hope it is helpfu.


    Fiona
    • Proposed as answer by Fiona_Liao Wednesday, September 28, 2011 3:24 AM
    • Marked as answer by Fiona_Liao Wednesday, October 5, 2011 9:09 AM
    Wednesday, September 28, 2011 3:24 AM

All replies

  • On Mon, 26 Sep 2011 19:55:42 +0000, varrus999 wrote:
     
    >
    >
    >Hi
    >
    >I have an issue with a 2010 server. I'll use a couple of sample domain name to outline my issue:
    >
    >Lets say our public domain name is abc.com, so our mail is accessed via mail.abc.com
    >
    >Our internal domain name is xyz.com (not .local), so servernames are server1.xyz.com, server2.xyz.com, etc.
     
    Okay. Do you own the domain xyz.com, too?
     
    >So I created a SAN cert via godaddy which included mail.abc.com, autodiscover.abc.com, legacy.abc.com. Installed the cert, no problems. Tested connetviety using the remote tool, no problem. Can access OWA without the security warning.
    >
    >Unfortunately there are some issues that were discovered later. Numerous sync errors, and issues with out of office on Windows 7 clients. We did some troubleshooting and I was told to add the FQDN name to the cert. Lets say the servername is mail1.xyz.com. I tried adding this to the godaddy cert, but unfortunately it is impossible since xyz.com is a public domain name that has nothing to do with out company (we are using it internally only).
     
    Soooo . . . whatever possessed you to use someone else's domain
    name???
     
    >So I'm stuck with this issue. Godaddy said I can use internal names such as xyz.local, but our internal domain is .com so I don't know how to add the FQDN to the cert.
    >
    >Any suggestions?
     
    You may have to create your own CA and issue the certs yourself. Your
    employees will just have to add your CA's root certificate to their
    machine's certificte store as a trusted root (or you can do that with
    a GPO, I think, for the managed machines). It's a PITA to deal with
    when it comes to mobile devices, though.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Monday, September 26, 2011 10:02 PM
  • Hi Rich,

    A Exchange server can only install one certificate; besides, aself-certificate is not supported by Outlook Anywhere, it might not suitable for Mike.

    @Mike,

    You may troubleshoot this issue via one of the following method:

    1. Purchase another Certificate that contains all names. Please refer to "Planning your organization's namespace" at http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx.
    2. Change the internal DNS record and the web-based service urls to match the existing certificate. for details, see http://support.microsoft.com/kb/940726.

    Hope it is helpfu.


    Fiona
    • Proposed as answer by Fiona_Liao Wednesday, September 28, 2011 3:24 AM
    • Marked as answer by Fiona_Liao Wednesday, October 5, 2011 9:09 AM
    Wednesday, September 28, 2011 3:24 AM
  • You will have to run a split DNS system so that the external name that you do own works internally. Then change all of the internal URLs to use the external address. As long as you aren't using UM then it shouldn't be a problem. The important one to change, which a lot of people miss is the autodiscoverserviceinternalURI which is set on set-clientaccessserver.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Wednesday, September 28, 2011 10:32 AM
  • On Wed, 28 Sep 2011 03:24:09 +0000, Fiona_Liao wrote:
     
    >Hi Rich,
    >
    >A Exchange server can only install one certificate; besides, aself-certificate is not supported by Outlook Anywhere, it might not suitable for Mike.
     
    I wasn't suggesting a "self-signed" certificate, but one from an
    internal CA. Provided the root and any intermediate CAs are trusted by
    the servers and clients they should work.
     
    >@Mike,
    >
    >You may troubleshoot this issue via one of the following method: 1. Purchase another Certificate that contains all names. Please refer to "Planning your organization's namespace" at http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx. 2. Change the internal DNS record and the web-based service urls to match the existing certificate. for details, see http://support.microsoft.com/kb/940726.
    >
    >Hope it is helpfu.
    >Fiona
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Wednesday, September 28, 2011 4:10 PM