Exchange SAN Certificate Help!

Similar Messages

• Accepted domains in Exchange SAN certificate

  Hi All,
  I am having few queries please clarify me .
  In my environment ,i having the accepted domains list like below 
  xyz.com
  abc.com
  All the users in my organisation is having the primary smtp address as [email protected] and secondary smtp address as [email protected]
  In my san certificate i am not having any of the above mentioned accepted domains.
  Do i need to have all the accepted domains on the SAN certificate or else only primary smtp address domain suffix is enough ?
  In case if don't have any of my accepted domains suffixes in SAN certificate what will happen ? Because why i am asking is i am not getting any certificate related errors ?
  As an additional info , we are using the single namespace for exchange services like owa ,activesync ,pop/imap  and outlook anywhere (both internal & external ) and that name is available in my SAN certificate.
  Autodiscover namespace is also included in my SAN certificate .
  Thanks S.Nithyanandham

  Hi Imkottees,
  Thanks a lot for your immediate response.
  But still i am having some queries please explain me what you are trying to explain on this below line ?
  "But you need this for all Primary domains used in your environment"
  Regards
  S.Nithyanandham
  Thanks S.Nithyanandham

• How to create a SHA256 SAN Certificate for Exchange

  Dear.
  When using the command as described below to create a SAN Certificate for Exchange, only SHA1 certificate requests are created. How can I create the same request but for SHA256?
  It seems that it's not possible to do this through the New-exchangecertificate.
  Do you know the alternative command when using certreq for the following Exchange command:
  New-ExchangeCertificate -PrivateKeyExportable:$true -FriendlyName 'mail.domain.com' -SubjectName 'C=NL,S="aaaa",L="bbbb",O="cccc",OU="dddd",CN=mail.domain.com' -DomainName @('mail.domain.com','exchange.wps.domain.com','webmail.domain.com','ews.domain.com','as.domain.com','oa.domain.com','oab.domain.com','ps.wps.domain.com','autodiscover.domain.com')
  -RequestFile '\\10.0.6.151\c$\temp\certificate_Request.req' -GenerateRequest:$true -KeySize '2048' 
  Thanks for the feedback.
  Regards.
  Peter
  Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be

  Hi Peter,
  There is no parameter in New-ExchangeCertificate to select the Algorithm type (Secure Hash Algorithm (SHA)) to generate request. Personal opinion, we can create the certificate signing request using the Certificates MMC and then creating a custom request
  as follows:
  1. Open MMC.exe. Click File >
  Add/Remove snap in…
  2. In the Available snap-ins tab, select Certificates >
  Add > Computer account > Local computer >
  Finish.
  3. Expand Certificates (Local Computer) > Personal > Certificates.
  4. In Action pane, click More Actions > All Tasks > Advanced operations > Create custom request.
  5. click Next > Proceed without enrollment policy > Next > Next.
  6. In Certificate Information page, click Details > Properties.
  7. Then you can fill in the needed information for your request.
  8. In Private Key tab, expand Select Hash Algorithm, set the Hash Algorithm to
  sha256.
  9. Click OK > Next. Fill in File Name and select the request location.
  10. Finish it and send this request to the certificate authority.
  Regards,
  Winnie Liang
  TechNet Community Support

• Trial SAN Certificate & Outlook Anywhere (RPC over HTTP) test fail

  I am testing exchange 2013 where autodiscover pass while performing Outlook Anywhere (RPC over HTTP) connectivity test failed with invalid SSL certifiate . I am only using self certifiate .do any one idea if any CA provding SAN certificate trial basis.
  Don't forget to mark helpful or answer
  connect me :-
  http://in.linkedin.com/in/satya11
  http://facebook.com/satya.1000

  Hi,
  Agree with the above suggestion, ExRCA test cannot pass with self-signed certificate. And to ensure Outlook Anywhere work well , we need to install the self-signed certificate on all clients machines.
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Server Name VS Outlook Anywhere Proxy Server and the behaviour I should expect when using SAN certificates...

  (I'll upload screen captures if needed once my account gets verified)
  I have a basic (as in freshly installed single exchange server 2010 SP3) Exchange Server installation. I've setup Outlook Anywhere. I've also setup a SAN (SubjectAltName) certificate.
  My setup:
  ex01.eci.XXXX.XX = is the server name and also the CN of my SAN certificate
  mail.eci.XXXX.XX = an A record I've setup to access my exchange server. It is also a subjectAltName in my SAN certificate
  When setting up Outlook, I enter the server name and specify the Outlook Anywhere proxy server in the Outlook Anywhere section. This works fine and I connect to my exchange server using RPC over HTTPS.
  Now, I was under the impression that specifying SANs in the certificate would allow me to enter the SAN alt name (mail.eci.XXXX.XX) in the field reserved for the Server Name, in Outlook..
  But it does not work. The proxy will give me an error each time, like that:
  HTTP    544    RPC_IN_DATA /rpc/rpcproxy.dll?mail.eci.XXXX.XX:6002 HTTP/1.1 , NTLMSSP_NEGOTIATE
  HTTP    635    HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)
  HTTP    123    HTTP/1.0 503 RPC Error: 6ba
  My question is: is this the behaviour I should expect? Or should I be able to specify the SAN alt name in the Server Name in Outlook?
  Thanks!

  Hi,
  Firstly, I’d like to explain, the server name tab should be filled with your mailbox server name in the process of configuring Exchange 2010 account.
  And the Outlook Anywhere proxy server is configured at the server side and cannot be randomly defined at the client side. To check it, we can run: get-outlookanywhere |fl externalhostname
  Thus, it’s an expected behavior that we would get error if we randomly enter name in the server name tab when we configure an account. If I misunderstand your meaning, please feel free to let me know.
  Additionally, Autodiscover service can help us automatically complete the configuration of the Outlook account. And how about the result if you use the Autodiscover to automatically configure the account?
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Why SharePoint 2013 Hybrid need SAN certificates and what SAN needs ?

  I've read this article of technet, but I couldn't undarstand requied values of SubjectAltname.
  https://technet.microsoft.com/en-us/library/b291ea58-cfda-48ec-92d7-5180cb7e9469(v=office.15)#AboutSecureChannel
  For example, if I build following servers, what SAN needs ?
  It is happy to also tell me why.
  [ServerNames]
   AD DS Server:DS01
   AD FS Server:FS01
   Web Application Proxy Server:PRX01
   SharePoint Server(WFE):WFE01
   SharePoint Server(APL):APL01
   SQL Server:DB01
  [AD DS Domain Name]
   contoso.local
   (Please be assumed that above all servers join this domain)
  [Site collection strategy]
   using a host-named site collection
  [Primary web application URL]
   https://sps.contoso.com
  Thanks.

  Hi,
  From your description, my understanding is that you have some doubts about SAN.
  If you have a SAN, you can leverage it to make SharePoint
  a little easier to manage and to tweak SharePoint's performance. From a management standpoint, SANs make it easy to adjust the size and number of SharePoint's hard disks. What you could refer to this blog:
  http://windowsitpro.com/sharepoint/best-practices-implementing-sharepoint-san. You could find what SAN needs from part “Some
  SAN Basics” in this blog.
  These articles may help you understand SAN:
  https://social.technet.microsoft.com/Forums/office/en-US/ea4791f6-7ec6-4625-a685-53570ea7c126/moving-sharepoint-2010-database-files-to-san-storage?forum=sharepointadminprevious
  http://blogs.technet.com/b/saantil/archive/2013/02/12/san-certificates-and-sharepoint.aspx
  http://sp-vinod.blogspot.com/2013/03/using-wildcard-certificate-for.html
  Best Regard
  Vincent Han
  TechNet Community Support

• GoDaddy SAN certificate untrusted on clients

  I have requested, downloaded and installed a godaddy SAN certificate for my lync server(s).
  If I apply the certificate and try to log into lync 2010 on a new client I get "there was a problem verifying the certificate from the server"
  If I install the godaddy intermediates certificate into the trusted root certification authorities on the windows 7 client it works ok.
  I assumed windows 7 clients would automatically trust godaddy as a certificate authority....?
  ***Don't forget to mark helpful or answer***

  This issue occurs when the correct certificate is not installed on the computer.
  Because 1,024-bit certificates are rooted to 2,048-bit certificates, you may have to download and to install the required root certificate before you can successfully sign in to Office Communicator or to Lync.
  Also you can refer below link
  http://support.microsoft.com/kb/2014466
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

• Exchange OWA Certificate Question

  Hello All
  I just have a question regarding exchange owa certificate which is about to expire. (owa.domain.com, autodiscover.domain.com, mail.domain.com )
  I have 
  Site one 
    Mailbox 2013 Server1
    CAS 2013 Server1
    Edge 2013
  Site 2
     Mailbox 2013 Server2
     Cas 2013 Server2
     Edge 2007
  Exchange high availability configured. On ECP I am seeing my OWA certificate about to expire on both CAS on the same day(same cert)
  I would like to create a new certificate, not renew as I have some old domains to remove from the cert.
  My question is, when I create the the new request from ECP - Cas Server1, send to the CA and then install the, how will this reflect for the certificate that is expired on CAS server2? 
  Thanks

  Hi nricki,
  Agree with Hinte, you can export the new certificate which was created in CAS1 server and then import it to CAS2 server.
  The following article for your reference:
  How to Export/Import an SSL Certificate to Multiple Exchange 2013 Servers
  Best regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Niko Cheng
  TechNet Community Support

• RDS 2012 Certificates help

  Hi all,
  I am currently implementing a RDS 2012 infrastructure.
  1-2 RDS Host servers
  1 server which contains the gateway and web access role (sits in the DMZ network)
  1 licensing server
  So I have 4 RDS servers in total.
  I have a internal and a external domain so for example:
  test.com (external domain - public facing)
  internal.com (internal domain - lan users)
  1-2 RDS Host servers - INTERNAL
  1 Licensing server - INTERNAL
  1 Gateway and Web Acess server - PUBLIC
  Would purchasing a public san certificate work for my enviroment and applying to all four servers?
  If not, what would work?
  Thanks

  Hi,
  Thank you for posting in Windows Server Forum.
  You can use single SAN certificate to achieve your goal as it can serve for all server. Apart there is some basic requirement to have RDS certificate.
  Basic requirements for Remote Desktop certificates:
  1. The certificate is installed into computer’s “Personal” certificate store. 
  2. The certificate has a corresponding private key. 
  3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well. 
  More information.
  Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services
  http://blogs.technet.com/b/askperf/archive/2014/01/24/certificate-requirements-for-windows-2008-r2-and-windows-2012-remote-desktop-services.aspx
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support

• SAN certificate for external access for edge server and reverse proxy

  Hello
  I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
  For external access and mobile user's , Iwant to enable all the feature for external user's .
  im planning to purchase san certificate ,
  my first question do I need only one SAN for both my edge server and the reverse proxy ?
  my second question about the name's that shoud be added to the certificate ?
  sip.mydomain.com
  av.mydomain.com
  webconf.mydomain.com
  what else I should add ? I want to add the names for all feature access.
  Kind Regards
  MK

  Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
  If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
  You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
  SAN on your cert.
  Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
  Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
  can present the third party certificate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• UC/SAN Certificate on 11500

  Does anyone know if UC or SAN certificates are supported on the 11500? I've heard that wildcard certs can be used but those are a little different. Are they supported but you just can't create the CSR on the 11500 itself and need to import it along with the key from a different box?
  Any help would be great.

  That's correct.
  We should be able to handle the SAN certificate as we don't really do much with the certificate.
  I just verified and it works fine.
  Gilles.

• Standard or UUC/SAN certificate for RDS

  I successfully deployed RemoteApp using self-assigned certificate.
  Now is the time to replace it with Trusted one.
  From what I found UUC/SAN certificate will allow to secure subdomains, unique domains and websites.
  My RDS deployment is limited to one domain only.
  Does wildcard certificate means that during certificate creation on Trusted site (ex GoDaddy) I will have an option to enter:
  *.my_domain.com for a subject and then use it for any RDS server?
  So it will be just a standard certificate with wildcard.
  "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  Hi,
  If you plan to have RD Connection Broker, RD Gateway, RD Web Access all on the
  same server you can purchase a single-name certificate, which is much cheaper than a wildcard. 
  If you need a wildcard then you would purchase a wildcard certificate from the public authority, create your certificate request with a Common Name of *.domain.com, submit this to the authority, and then complete the request with the response.
  For example, on your RD Web Access server you could open IIS Manager, select the server name in the left pane, double-click on Server Certificates in the middle, click Create Certificate Request.  Fill out the information, select 2048 bits, etc., save
  as a file.  Open the file in Notepad, copy the request, then paste it into the appropriate box in the trusted authorities web site.
  The public certificate providers have step by step instructions for creating a request for an IIS website and installing the resulting response.  You can usually follow those if you are unsure.
  Once you have your certificate installed on your RD Web server, open up certlm.msc, navigate to Personal store, right-click on the certificate and export it and its Private key as a .pfx file.  This is what you will use to apply the certificate in Server
  Manager -- RDS -- Overview -- Tasks -- Deployment Properties -- Certificates tab.  You apply the certificate to 1 purpose at a time until you have all four purposes set to your new wildcard certificate.
  -TP

• My web browsers doesn't work anymore because i accidentally deleted the certificates. help me how to retrieve it .. thanks apple :)

  my web browsers doesn't work anymore because i accidentally deleted the certificates. help me how to retrieve it .. thanks apple

  Apple - Support - iPod - Repair pricing - http://www.apple.com/support/ipod/service/prices/

• My iphone 5 stopped syncing to outlook email, calender and contacts after the IT department switched from a HP exchange server to MS2010 exchange server.  Help?

  My iphone 5 stopped syncing to outlook email, calender and contacts after the IT department switched from a HP exchange server to MS2010 exchange server.  Help?

  Try deleting your exchange account on your iPhone, then adding it again fresh.  I had the same problem when we upgraded servers and this fix worked for me.

• Certificate help asap!!!!!!!!!!!!!!

  i was trying to upload my app and it gave me the error
  "APPLICATION FAILED CODESIGN VERIFICATION.THE SIGNATURE WAS INVALID OR IT WAS NOT SIGNED WITH AN APPLE SUBMISSION CERTIFICATE"
  HELP.
  asap
  thanks

  Personally I've noticed that the more exclamation points and the more yelling (i.e. caps) in a post the less likely you are to get helped.
  I honestly don't know how to help but am pretty sure you need a few more details as well.