locked
Exchange 2016 SSL Certificates RRS feed

  • Question

  • Hi, 

    I am facing a problem where we need to use internal CA certificates on Exchange 2016 but cannot add external namespaces onto the SSL cert. The external URL on the Web Service Virtual Directory is https://hybrid.externaldomain.com/EWS however on the cert we can only specify https://hybrid.domain.local/EWS. 

    Is there a way to make this work for hybrid connectivity having a cert that doesn't match the namespace? Or is the only option to use an external CA signed certificate on the Exchange servers? 

    Thanks, 

    Mike. 

    Thursday, June 25, 2020 1:49 AM

Answers

  • Hi Mike, Thanks for the update. Sure, in this scenario, you can create a new certificate request using MMC and select the template, for instance web server, then provide all the names to be included in the certificate in common name parameter and create the request. If your CA is online and enrollment is enabled then you can get the certificate while completing the request using MMC. Once done, you can assign the exchange services to that certificate. Hope this helps.

    Thanks,
    Ashok M My blog
    ________________________________________________________________
    Please mark the reply as an answer if you find it is helpful :-)
    ________________________________________________________________

    • Marked as answer by mike_00 Thursday, July 2, 2020 5:59 AM
    Tuesday, June 30, 2020 4:47 AM

All replies

  • Hi

    Why do you want to put internal names on an SSL certificate? internal names are not resolvable on the internet and the law changed a few years ago that you cannot have internal names on ssl certificates anymore. 


    Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, June 25, 2020 4:50 AM
  • Hi Edward, 

    Thanks for the response, the internal url on the web services virtual directory has the server host name on it (internal) doesnt this require an SSL certificate with the server host name on it to match what is on the virtual directory configuration? 

    Directory configuration would be as follows: 

    2010 CAS Server -  External URL: https://outlook.domain.local

                                 Internal URL: https://outlook.domain.local

    2016 Server:          External URL: https://hybrid.publicdomain.com

                                 Internal URL: https://serverhostname.domain.local

    The exchange 2010 org is not accessible on the internet which is why host names are only internal. Also there will be a separate public CA cert with only externally resolvable host names on the reverse proxy. The certs on the exchange servers will be internal CA certificates.  

    Mike. 


    • Edited by mike_00 Thursday, June 25, 2020 8:14 PM update
    Thursday, June 25, 2020 8:12 PM
  • Hi Mike,

    Do you mean you want to add "hybrid.publicdomain.com" to your internal CA certificate?

    If so, you have to create a new internal CA certificate to included all needed domain names, and replace the old one. You can check this for more information about creating a certificate: Certificate procedures in Exchange Server.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, June 26, 2020 5:55 AM
  • Hi, 

    I am facing a problem where we need to use internal CA certificates on Exchange 2016 but cannot add external namespaces onto the SSL cert. The external URL on the Web Service Virtual Directory is https://hybrid.externaldomain.com/EWS however on the cert we can only specify https://hybrid.domain.local/EWS. 

    Is there a way to make this work for hybrid connectivity having a cert that doesn't match the namespace? Or is the only option to use an external CA signed certificate on the Exchange servers? 

    Thanks, 

    Mike. 

    Hi Mike,

    Exchange Hybrid certificate requirement is to use the third party certificates and internal CA certificate will not work. 

    https://docs.microsoft.com/en-us/exchange/certificate-requirements

    https://support.microsoft.com/en-ae/help/2879262/missing-certificate-on-the-last-page-of-the-hybrid-configuration-wizar


    Thanks,
    Ashok M My blog
    ________________________________________________________________
    Please mark the reply as an answer if you find it is helpful :-)
    ________________________________________________________________

    • Proposed as answer by Ashokm_14 Monday, June 29, 2020 9:42 AM
    Friday, June 26, 2020 6:41 AM
  • Hi, as I mentioned before there will be two certificates. One is a public CA certificate which will be hosted on the reverse proxy and the other will be an internal CA certificate hosted on the Exchange servers. So there will be a public CA certificate used for the Hybrid component. 

    Mike. 

    • Marked as answer by mike_00 Thursday, July 2, 2020 5:59 AM
    • Unmarked as answer by mike_00 Thursday, July 2, 2020 5:59 AM
    Monday, June 29, 2020 9:41 PM
  • Hi Mike, Thanks for the update. Sure, in this scenario, you can create a new certificate request using MMC and select the template, for instance web server, then provide all the names to be included in the certificate in common name parameter and create the request. If your CA is online and enrollment is enabled then you can get the certificate while completing the request using MMC. Once done, you can assign the exchange services to that certificate. Hope this helps.

    Thanks,
    Ashok M My blog
    ________________________________________________________________
    Please mark the reply as an answer if you find it is helpful :-)
    ________________________________________________________________

    • Marked as answer by mike_00 Thursday, July 2, 2020 5:59 AM
    Tuesday, June 30, 2020 4:47 AM
  • Just checking in to see if above information was helpful. If you have any questions or need further help on this issue, please feel free to post back.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, July 2, 2020 5:55 AM
  • Great, 

    Thanks very much for the response. 

    Mike

    Thursday, July 2, 2020 5:59 AM
  • Glad that the suggestion was helpful.

    Thanks,
    Ashok M My blog
    ________________________________________________________________
    Please mark the reply as an answer if you find it is helpful :-)
    ________________________________________________________________

    Thursday, July 2, 2020 6:34 AM