Using an SSL certificate for Exchange 2013
Hi,
I am not sure if this is the correct forum to post this question in.
Basically we are migrating from Exchange 2007 to Exchange 2013. Our 2013 machines have both roles installed and do everything. They are configured in a DAG. We have no hardware load balancing/reverse proxy or etc. inside or outside.
We use an alias of mail.domain.com to connect to OWA/ActiveSync and etc from the Internet.. this alias would point to mail1.domain.com which is the IP of the first Exchange 2013 server.
If that server were to break, we would point the alias of mail.domain.com to mail2.domain.com which is the IP of the second Exchange 2013 server. Clients would not need any changes before they started connecting to the remaining mail server (eventually)
and email would continue.
I know this is not an ideal setup, but for now it is what we have and would keep us running in the event of server failure.
My question is, when I request a certificate, do I need two of them with mail1.domain.com and mail2.domain.com as their primary and SAN of mail.domain.com OR do I request one certificate with mail.domain.com as the primary host and SAN of mail1.domain.com
and mail2.domain.com (and install the one certificate on both servers).
I want to include mail1.domain.com and mail2.domain.com as this can be helpful for testing and/or during migration.
I hope that makes some sense and appreciate any help people can offer.
Thanks!
You do not need server names in the certificate if you are using mail.domain.com only in all of the URL settings. You will want autodiscover.domain.com, however.
Consider configuring a different internal and external name for Outlook Anywhere so that Outlook knows whether it is connecting from the Internet or internally. For internal Outlook Anywhere, use a name that you don't publish to the Internet.
For example, use mail.domain.com for everything except internal Outlook Anywhere, use mailinternal.domain.com. Put mail.domain.com, mailinternal.domain.com and autodiscover.domain.com in the certificate.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Similar Messages
-
Is it possible to use single ssl certificate for multiple server farm with different FQDN?
Hi
We generated the CSR request for versign secure site pro certificate
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
SSL Certificate for cn=abc.com considering abc.com as our major domain. now we have servers in this domain like www.abc.com, a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
And the same message when trying to access https://www.abc.com from Google Chrome.
"This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
Now my question is
1. Is is possible to remove above errors doing some ssl configuration on ACE?
2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate for CSR generated uisng cn =abc.com to be installed on ACE and will be used for all servers like www.abc.com , a.abc.com etc..
Thanks
WaliullahIf you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate. Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate. And right now it won't beause your certificate is for abc.com. You need a wildcard cert that will be for something like *.abc.com.
Hope this helps,
Sean -
Hi
Do I need to import certificate on mailbox serversAgree with Adam. You can go through below article series on managing certificates in Exchange 2013.
Managing Certificates in Exchange Server 2013 (Part 1)
Also check below...
---- One key difference between Exchange 2010 and Exchange 2013 is that the certificates that are used on the Exchange 2013 Mailbox server are self-signed certificates. Because all clients connect to an Exchange 2013 Mailbox server through an Exchange 2013
Client Access server, the only certificates that you need to manage are those on the Client Access server. The Client Access server automatically trusts the self-signed certificate on the Mailbox server, so clients will not receive warnings about a self-signed
certificate not being trusted, provided that the Client Access server has a non-self-signed certificate from either a Windows certification authority (CA) or a trusted third party. There are no tools or cmdlets available to manage self-signed certificates
on the Mailbox server. After the server has been properly installed, you should never need to worry about the certificates on the Mailbox server. ---- Exchange 2013 certificate
management UI
Blog |
Get Your Exchange Powershell Tip of the Day from here -
Use public SSL certificate for WebAccess 8 on SLES10 Linux S
Currently my WebAccess 8 server is running on NetWare. I want to move my WebAccess to SLES10 SP3 server and use public SSL certificate from third-party on SLES 10. I think this is just to get apache to use the public cert on SLES 10 Linux server and nothing to change on WebAccess, right?
Thanks in advance.
Wilsonwilsonhandy wrote:
> Currently my WebAccess 8 server is running on NetWare. I want to move
> my WebAccess to SLES10 SP3 server and use public SSL certificate from
> third-party on SLES 10. I think this is just to get apache to use the
> public cert on SLES 10 Linux server and nothing to change on
> WebAccess, right?
Yeah, it's purely an Apache config. No need to do anything to
WebAccess just to get SSL working.
Novell Knowledge Partner
Enhancement Requests: http://www.novell.com/rms -
Use ssl certificate for Exchange Account
Hello everyone!
I have some problem with Exchange instance and iphones.
I have Front server with client authentication via ssl certificates. How i can use this certificate on iphone to connect iphone to exchanges account?
After few hours of googling i find only one solution here - http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-clien t-access/configuring-certificate-based-authentication-exchange-2010-activesync-p art2.html
In few words - it can be done with iPhone Configuration Utility
Does this ONLY solution or i can import ssl cert directly to iphone?
Thanks a lot for any helpHi bb9193, this will not be no short-term solution, but you might consider using a MDM-solution. With MDM it is possible to deinstall and reinstall the Exchange profile over the air, so your users will not need to do more than just reenter their Exchange password.
Best regards,
Detlev -
Best practices for buying a digital certificate for Exchange 2013
Good dayfriends,
Could you indicateme which are the bestpractices when buying
a public digital certificatefor use onExchangeServer 2013.
I'd be interested in knowing your opinion about
using wildcardor SAN certificates.
Likewise what are the best recommendations
to include names and why they should or
should not include the internal FQDN
of my servers.
Currently I have an infrastructure that has two
MailBox servers,two CAS servers and an EDGE
2010 server, but I'm planning update it to Exchange 2013.
I searched what are the best
practices according to Microsoft but
have found little information.
I would appreciate
if you can post links like
Microsoft KBs and other technical documents that
discuss the above mentioned.
Thanking your
invaluable support.
Greetings.Hi,
Personal suggestion, we can use two namespaces for your Exchange 2013:
Autodiscover.domain.com (Used for autodiscover service)
Mail.domain.com (used for all Exchange services external and internal URLs)
Please pointed mail.domain.com and autodiscover.domain.com to your internet facing CAS 2013.
For more information about Digital Certificates and SSL in Exchange 2013, please refer to the
Digital Certificates Best Practices part in the following technet article:
http://technet.microsoft.com/en-us/library/dd351044%28v=exchg.141%29.aspx?lc=1033
Additionally, here are some other scenarios about certificate planning in Exchange 2013:
http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx
Regards,
Winnie Liang
TechNet Community Support -
Use Homepage SSL certificate as exchange server certificate?
the certicate needs to match the fully qualified domain name that you connect against.
so if the web site uses www.domain.de and the echange server's OWA/Activesync is owa.domain.de it wont match and you'll get errors. However if the SSL cert is wildcard to *.domain.de you'll be OK.Hi there,
im a little certificate dau
i have a certificate for our homepage which certifies on "Domain123.de".
Is it possible to use this certificate for our mail server? (exchange 2007)
The mail domain is "[email protected]"
Our AD Domain is "Domain456.local"
I hope you can help me here.
Heres some bacon to attract the pros
This topic first appeared in the Spiceworks Community -
Using existing SSL Certificate for Web Dispatcher
Hi,
We've registered a SSL certificate with wildcard option via GlobalSign. The history of this process is as below:
1. We created a Certificate Request with IIS and send it to GS (GlobalSign).
2. They send us the certificate file Globalsign Primary Secure Server CA and Globalsign Server Sign CA files.
3. Import all ceritifcates into IIS and then exported the certificate into a Cert.pfx file.
4. By using this file, we are able to import the SSL certificate into J2EE WAS 640 of Portal system.
5. Now we want to use same certificate to establish a web dispatcher installation as intermediate server for internet access.
Web Dispatcher documentations says to create a pse and req file with sapgenpse program and then send it to CA (here globalsign) to get a certificate.
But when we asked GS, they told us to use the certificate they send us before. They cannot create a certificate file for the ourput of web dispatcher. It will be billed us if we persist.
So, we have to find a way to use the existing certificate to enable SSL of Web Dispatcher.
Any idea?Hi Huseyin,
I also have the same scenario. We also want to use the same certificate from verisign for our webdispatcher.
Do you know how to do. Can you help me.
Thanks and Regards,
Sailesh K -
Wildcard certificate for Exchange 2013
Hello!
I have a testing network with Exchange 2013SP1 and Windows Server 2012R2 domain controller with CA installed.
For testing purposes I issued a wildcard certificate for my Exch2013 from my local CA using Web server template and installed it on the Exchange server.
Now when I open, for example, ecp or owa page I'm getting the error stating my certificate is wrong:
Q1) Is Windows CA capable of issuing a wildcard certificates?
Q2) If Q1=yes then what can be the cause of the problem?
Thank you in advance,
MichaelHi Michael,
Please click Certificate error in IE to view the details about the error. If the error is related to untrusted certificate, please open Internet Explorer, click Settings > Internet Option > Content option > Certificate. In the
Certificates dialog box, click the Trusted Root Certification Authorities
tab and check if your certificate is in the list.
If the certificate is not in the list, we can install the certificate in Trusted root certificate store by the following KB:
http://support2.microsoft.com/kb/2006728
If the error certificate is related to mismatch issue, please confirm if this certificate is assigned with IIS service. If not, please enable it with IIS service and restart IIS service to have a try. To double check about the Exchange certificate, we can
run the following command to check it:
Get-ExchangeCertificate | FL
Regards,
Winnie Liang
TechNet Community Support -
Configuring CA Certificate for Exchange 2013
Hello,
I have two exchange 2013 server running both CAS and MB roles which are also part of a DAG. To secure mail flow in and out of my organization, I am planning to implement reverse proxy in my DMZ. I can easily access my OWA using my DAG name. I wonder if I
can configure my reverse proxy machine to access the cluster name/ip. I am also confused about configuring the certificate. Which one of my machines should be used to create the CSR?
Pooriya AghaalitariHey David,
I just got to learn about this after I sent the post. So I can create the certificate and import/export to other servers right? Thanks a lot man.
Regards,
Pooriya
Pooriya Aghaalitari
Yes. In fact, you want to make sure all the certs applied to the CAS are the same ( same thumbprint)
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied. -
Upgrade SSL Certificate for Exchange Server
Hi Folks,
I need to upgrade the SSL certificate on my Exchange Server, so he can negotiate encryption and authorization to an upstream SMTP Smart Host. This means that the certificate I need is not necessarily a server certificate, because in this scenario Exchange
Server is acting as a client to the upstream SMTP Smart Host. I have openssl at my disposal, so making the certificate in not a problem but installing it in the correct location and testing that I've done what I think I've done is.
Thanks for the help,
Chris.
Thanks for the help,
Chris.Hi,
Please just make sure the primary certificate in your Exchange server with
SMTP service is valid, trusted by your SMTP smart host.
Thanks,
Winnie Liang
TechNet Community Support -
Self Signed Certificate for Exchange 2013
What's the draw back for using self sign certificate in production enviromentHi,
Based on my research, here are the disadvantages of self-signed certificate:
1. The certificates aren’t trusted by other applications/operating systems. This may lead to authentications errors etc.
Note: To overcome this limitation, some IT staff add the self-signed certificates to the Trusted Roots Certificate Authorities. However, using this workaround may to additional time that needed for management and troubleshooting.
2. Self-signed certificates life time is usually 1 years. Before the year is ended, the certificate may need to renew/replace.
3. Self-signed certificates may use low hash and cipher technologies. Due this, the security level that implemented by self-signed certificates may not satisfy the current Security Policy etc. .
4. No support for advanced PKI (Public Key Infrastructure) functions (e.g. Online checking of the revocation list etc.).
5. Most of the advanced feathers of the server side applications required to impended a PKI (Public Key Infrastructure). By this, self-signed certificates advantages cant be used.
For more information, you can refer to the following article:
http://blogs.microsoft.co.il/yuval14/2011/09/23/the-advantages-and-disadvantages-of-using-self-signed-certificates/
Thanks,
Angela Shi
TechNet Community Support -
Our Network Solutions security certificate was about to expire so we renewed it, however once it was installed on the Exchange 2007 server the phones would no longer connect. How do you get the iPhones that are already connected to your Exchange server to recognize the new certificate?
Hi bb9193, this will not be no short-term solution, but you might consider using a MDM-solution. With MDM it is possible to deinstall and reinstall the Exchange profile over the air, so your users will not need to do more than just reenter their Exchange password.
Best regards,
Detlev -
Certificate Authority for Exchange 2013
Dear,
I will install exchange 2013, whether to install the Certificate Authority role also?
If it is necessary, to install this CA, is simply combined with ADDS server, Exchange Server or a separate server?
ThanksHi,
As all above says, Exchange 2013 can use Self-signed Exchange certificate which is installed automatically after Exchange 2013 installation. But please note that this self-signed certificate would be not trusted for Exchange using.
If your Exchange 2013 is not internet-facing, we can use the self-signed certificate in your internal domain environment. If you want to publish your Exchange 2013 to the internet and send/receive external mails, we need to have a valid and trusted certificate
for Exchange using.
To get trusted certificate, we can deployed an
Enterprise root CA which self-signs its own CA certificate and uses Group Policy to publish that certificate to the Trusted Root Certification Authorities store of all servers and workstations in the domain. Or we can directly buy a third-party certificate
for using.
About where to install the CA, my personal suggestion is to install ADCS (Active Directory Certificate Services) on a standalone server. You can also install it with your DC. About how to install a
Root Certification Authority, please refer to:
http://technet.microsoft.com/en-us/library/cc731183.aspx
Regards,
Winnie Liang
TechNet Community Support -
Iplanet 6.0 creating a development SSL certificate for internal use
With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
Is there a tool to create my own SSL certificate for development work with iplanet 6.0?With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
Is there a tool to create my own SSL certificate for development work with iplanet 6.0?
Maybe you are looking for
-
I have a fairly large spreadsheet which creates layout floorplan maps based on a table of 3,000+ room locations and various cross-referenced attribute lookup tables which add flags & colour coding to the individual rooms. The maps also include a few
-
What are the benefits of using a proxy
If both people used the same proxy would that speed things up? I currently have a vps that i could use as one.
-
Address Book Icon is not on my screen? Please Help!
Help? My screen froze for about 4 minutes and then when I took the battery out and started it back up the address book icon is missing? Please help!!! I'm a realtor and this is something I use every day.
-
RMAN + Netapp (NAS) to clone - Help Me, Obi-Wan
I have database PROD instance that runs on linux server #1. I have database DEV instance runs on linux server #2. The databases for both instances live on a Netapp NAS (in different directories, of course). Everything is 11gR2. The backup method is a
-
UNDO tablespace reaching maximum size - WHO is using it?
My UNDO tablespace has been pretty static for a while but this morning it was at 93% and within 20 minutes I saw it at 98%. I added a datafile to buy some time, but is there any way I can identify specific sessions which may be filling it rapidly ? T