Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Exchange SSL Certs

  • 30-10-2009 11:11am
    #1
    Registered Users, Registered Users 2 Posts: 2,361 ✭✭✭


    Anybody here handy with these?
    Have a bit of a query on them in exchange 2007.


Comments

  • Registered Users, Registered Users 2 Posts: 103 ✭✭sandleman1979


    Fire away...

    Will you be using a public cert or using internal from a Certificate Authority.


  • Closed Accounts Posts: 22 b1tch1n


    What is it that you want to know?


  • Registered Users, Registered Users 2 Posts: 2,361 ✭✭✭Itsdacraic


    Sorry guys, I've been off work sick this week. Basically the issue I was encountering is a mix of problems between Exchange 2007 autodiscover, owa and publishing it using a a new cert I had issued from RapidSSL.

    I don't really have enough details at hand to structure a question properly but basically since I installed the new cert on the Default Website users have been an error regarding invalid certificate, they can then accept it and move on, and it's only a affecting those on Outlook 2007 (a small number of users).

    I'll give proper details tomorrow if I feel up to going in.

    Thanks


  • Registered Users, Registered Users 2 Posts: 103 ✭✭sandleman1979


    From what i know about Certificates in Exchange, they have to be added using the Exchange Management shell command line tool.

    As you have the certificate already you will need to concentrate on the
    Import-exchangecertificate
    and
    Enable-exchangecertificate

    First run get-exchangecertificate
    This will list all certs on exchange server.

    then run import-exchangecertificate c:\newcertificate.cer

    Where newcertificate.cer is the cert you want to import.

    Then run
    get-exchangecertificate again and compare with earlier.
    you need to get the thumbprint of the certificate (lots of randon numbers and letters)

    Then run
    Enable-ExchangeCertificate -thumbprint <<thumbprint of certificate>> -Services “IIS”

    So if you cert thumbprint is 1QAZ2WSX3EDC4RFV5TGB6YHN7UJM8IK9OLP08HF5
    then run
    Enable-ExchangeCertificate -thumbprint 1QAZ2WSX3EDC4RFV5TGB6YHN7UJM8IK9OLP08HF5 -Services “IIS”

    This will then assign the certificate to IIS, which autodiscover uses.

    Hope that helps....
    Been in your position before, i know the pain ;-)


  • Closed Accounts Posts: 22 b1tch1n


    your correct, it is done through the Management Shell. It is a straight forward process and if you are stuck a google search will reveal it


  • Advertisement
  • Closed Accounts Posts: 5,429 ✭✭✭testicle


    A RapidSSL Cert probably won't do Exchange 2007. It needs to be what's known as a Unified Communications certificate, basically one that's good for the internal hostname (exchange.domain.local) the external hostname (exchange.domain.com) and the autodiscover hostname (autodiscover.domain.com)


  • Registered Users, Registered Users 2 Posts: 2,361 ✭✭✭Itsdacraic


    testicle wrote: »
    A RapidSSL Cert probably won't do Exchange 2007. It needs to be what's known as a Unified Communications certificate, basically one that's good for the internal hostname (exchange.domain.local) the external hostname (exchange.domain.com) and the autodiscover hostname (autodiscover.domain.com)

    I got onto the server for a while this evening and I think this is the problem I am experiencing. My internal hostname is exchange.jbloggs.local, my external hostname is mobile.joebloggsIrl.com and my autodiscover is now set at autodiscover.mobile.joebloggsIrl.com (but that was from my messing around).

    So you reckon a RapidSSL cert is no good in a situation like this?
    I've been off work sick for a while so will give myself the full day tomorrow to try and get this sorted.


  • Registered Users, Registered Users 2 Posts: 2,361 ✭✭✭Itsdacraic


    Hi, sorry for the delay but I'm back working on this now. I've found my exact issue on another forum but there is no answer to the question so I'm going to literally copy and paste the issue from there if that's ok:

    one of our customers has an exchange 2007 server on their network with most of their PC's running outlook 2007.
    their internal domain name and external domain(to access exchange) is different... and the internal domain is not owned by them...
    for example:
    internal exchange server name: exchange
    internal domain name: abc123.com
    FQDN for exchange(internal): exchange.abc123.com
    FQDN for exchange(external + owa): mail.company123.com

    they own the company123.com website and domain name... but the internal domain name they do not, someone else owns it.. and its only used internally! because of this, the SSL certificate they just recently purchased from comodo.com only supports the domain they own and therefore pops up a cert msg everytime someone opens up outlook 2007 internally because the internal domain is not in the SSL only the external...

    same thing with internal domains with the .local extension.. to my knowledge SSL certs dont support those.... how do company's with different internal domain names from their external domain counterparts get these SSL certs to work?

    any advice, suggestions, input, etc. is appreciated....


  • Registered Users, Registered Users 2 Posts: 103 ✭✭sandleman1979


    OK i have "cheated" at this before ;-)

    In your internal DNS make a new zone for company123.com
    add an a record for mail and set it to the internal IP address of your exchange server.

    Then the name on the certificate is set to mail.company123.com
    You will need to change the internal autodiscover address to
    https://mail.company123.com/autodiscover/autodiscover.xml


    Then when internal users with outlook 2k7 secure the communications to the mail server it uses the name on the certificate which for internal users points to the internal IP address...

    Alternatively you can add a Subject Alternate Name to the certificate which will be the internal FQDN of the mail server. downside of this is that the certificate which will be visibible to all users will show the internal fqdn of the mailserver...


  • Registered Users, Registered Users 2 Posts: 2,361 ✭✭✭Itsdacraic


    OK i have "cheated" at this before ;-)

    In your internal DNS make a new zone for company123.com
    add an a record for mail and set it to the internal IP address of your exchange server.

    Then the name on the certificate is set to mail.company123.com
    You will need to change the internal autodiscover address to
    https://mail.company123.com/autodiscover/autodiscover.xml


    Then when internal users with outlook 2k7 secure the communications to the mail server it uses the name on the certificate which for internal users points to the internal IP address...

    Alternatively you can add a Subject Alternate Name to the certificate which will be the internal FQDN of the mail server. downside of this is that the certificate which will be visibible to all users will show the internal fqdn of the mailserver...

    You're a good man.

    I've added the zone and i can access owa internally via the external address, so that's a start. I have to go off to a head wreck of a meeting now for a few hours but will test it fully later. Cheers for that.
    Have to go


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,267 ✭✭✭kc66


    Hi,

    I dont want to barge in on someone elses thread but hopefully OP is sorted now, and I've got a similar problem.
    We have a local exchange server. We want to connect 2 phones to exchange using activesync. We have a website externally hosted, domain.ie. We have a local domain, which has exchange server exch.domain.local.
    I configured an A record mail.domain.ie on our hosting company's control panel to point to our company's public IP address. Our firewall is forwarding port 443 to our exchange server. So I'm not sure where we can go from here for an SSL cert. Is a SAN cert required or is there an alternative? Or is this the wrong way to go about it?

    Thanks in advance for any guidance.

    Edit: I think I got everything sorted with the cert. OWA working fine but Activesync getting "HTTP Error 503. The service is unavailable." Any ideas what might be wrong? In IIS AS is configured to require SSL and basic authentication.
    Edit2: Sorted that but now getting authentication failed.


  • Closed Accounts Posts: 5,429 ✭✭✭testicle


    In your internal DNS make a new zone for company123.com add an a record for mail and set it to the internal IP address of your exchange server.

    How do you do this without breaking DNS internally for company123.com? Or do you need to copy the entire zone from the real authoratitive NS servers?


  • Registered Users, Registered Users 2 Posts: 247 ✭✭Cluster


    Itsdacraic wrote: »
    Anybody here handy with these?
    Have a bit of a query on them in exchange 2007.

    adding the SSL?


Advertisement