SSL and Exchange

PR. · 20 May 2010 at 22:58

Bit of a long shot...

I'm rolling out Exchange 2010 and I'm having a problems with SSL certificates. As I'm upgrading from 2003 we currently only have the one certificate. However 2010 requires pretty much one for everything!

I'm seeing an error on my test clients because the servers internal domain name doesn't have a proper SSL! That means I have to have an SSL for the external domain name and another for every internal server name, and another for the FQDN of every internal server?

I was looking at Godaddy for SSL Certificates - http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=9039 would an unlimited sub-domains SSL cover this?

This is what I guess I'd need to order?
mail.company.com (external owa)
servername (internal server name x10 exchange sites)
servername.company.com (fully qualified internal domain name x10 exchange sites)

Has anyone else deployed 2010 or even 2007 and had to go through this?

Thanks

ThorpedoUK · 21 May 2010 at 02:08

For your internal certificates I'm pretty sure you can use Active Directory Certificate Services (WIN-2008) which is of course free, this is based off your internal server // domainname, I am using this now for a Citrix XenApp solution, my Secure Gateway (which would be your external WebMail server) is using Verisign and is based off the FQDN of the external web access URL.

Works fine!

PR. · 21 May 2010 at 07:45

Cheers for that I'll give it a go today.

paradigm · 21 May 2010 at 08:20

Yeah, you can use self-cert for everything internal. You only need an externally certified SSL certificate for your CAS server so that OMA/OWA/RTC-over-HTTP works fine.

Exchange 2010 has definitely been my most favored rollout of exchange.

brainchylde · 21 May 2010 at 08:55

We use digicert - they do "Unified Communication" certificates - ideal for Exchange 2007/2010. Plus their certificates can be used on multiple servers.

PR. · 21 May 2010 at 12:37

Think I'm going to have to go with a new certificate. I've set up an internal CA and created a certificate but you can only assign the Exchange IIS process to the Internal OR the External certificate, so either way one doesn't work.

Thanks anyway!

DRZ · 21 May 2010 at 17:54

Are you importing the cert using the shell? I am fairly confident that Exchange can handle more than one cert this way, but I'd have to do some reading to be absolutely sure...

paradigm · 21 May 2010 at 18:12

DRZ said:
Are you importing the cert using the shell? I am fairly confident that Exchange can handle more than one cert this way

It can yes.

Vertigo · 21 May 2010 at 23:59

Am about to transition to 2010 myself at work. Whilst you can make it work with a single, simple SSL cert for external access and leave everything internal on the in-built self-signed one or one generated by a local CA, it's far simpler to just bite the bullet and get a UCC one from the likes of GoDaddy - it's only 60-odd quid.

PR. · 22 May 2010 at 00:46

We bought a wildcard ssl cert in the end, cost £124 (with a £30 promo code) but we can basically cancel a bunch of other certs we've been paying for years, so we're still going to save money.

Installed fine and internal and external connections are working perfectly.

G.O.A.T · 8 Jun 2010 at 18:24

You don't need to use an externally signed certificate, here are the steps to creating an internal unified communication certificate for free...

1. Setup an internal Certificate Authority.
2. Go to: https://www.digicert.com/easy-csr/exchange2010.htm
3. Use this tool to create a unified communications certificate, make sure to include:

- Common name = mail.yourcompany.com
- Alternative Name1 = mail.yourcompany.com
- Alternative Name2 = NetBIOS name e.g. Exchange01
- Alternative Name3 = FQDN e.g Exchange01.company.local
- Alternative Name4 = autodiscover.yourcompany.com

4. Run the resultant powershell query on your exchange server powershell management shell.
5. Create a unified certificate by creating a certificate request on your internal CA website using the output of the powershell query
6. Apply certificate to exchange server IIS site and set the default website https bindings to use your new certificate.
7. Enjoy a beer

PR. · 9 Jun 2010 at 13:53

But won't an internally created certificate only work for internal computers? We have home users via OWA and iPhones using ActiveSync and we don't want constant SSL certificate warnings.

Had no major problems with the upgrade to 2010 from 2003. If anyone is doing the same thing and has users running Outlook 2003 or less you'll need to enable encryption on the account settings, otherwise 2010 will reject the client and they won't connect (Had a few hours of fun trying to work out why some users couldn't connect...)

One server down, 9 to go!!

G.O.A.T · 9 Jun 2010 at 14:21

PR. said:
But won't an internally created certificate only work for internal computers? We have home users via OWA and iPhones using ActiveSync and we don't want constant SSL certificate warnings.

Had no major problems with the upgrade to 2010 from 2003. If anyone is doing the same thing and has users running Outlook 2003 or less you'll need to enable encryption on the account settings, otherwise 2010 will reject the client and they won't connect (Had a few hours of fun trying to work out why some users couldn't connect...)

One server down, 9 to go!!

Or you can disable forced encryption on the 2010 server. Yes you'll need an externally signed certificate if you want to avoid the warnings but it depends how fussed you are about clicking through the warning when you access OWA. You can always pop the CA certificate into your trusted root CA's on the machine accessing it. Activesync works fine and only prompts you when you initially setup the connection (certainly on the iPhone I tested it on.)