Single-Server 2K7 install and Certificate Naming
Hello everyone. My question is more a confirmation of what I think I know/don't know than anything else, but I'll appreciate any feedback into things I might be overlooking. I have a single-server install of Exchange 2007 Standard (running on Server 2008 Standard R2 for what it's worth). The server has two names: e2k7.faysharpe.net (internally) and webmail.faysharpe.com (externally (OMA, OWA, MX, etc) ). I'd like to get a 3rd party certificate (verisign most likely) so that when my users are checking their mail from a remote computer (at home, from a terminal out of my control, etc) - they neither have to have a copy of my root certificate to install, nor do they have to worry about the error messages modern browsers put up to steer users away from the page. To my thinking the only real solution here is to get a trusted certificate that allows for a Subjective Alternative Name (SAN) - because without that when the users are internal and using Outlook they'll get errors (as I've seen in my testing) within Outlook about the server certificate not matching the server name. Is there a solution I'm simply failing to see? (And if there are what caveats might I expecting in implementing them?) Further - is there a better location than here in general to ask a certificate/naming question?
September 28th, 2009 8:24pm

3rd party certificates are always preferred for the reasons you mention above. They pay for themselves.As for your internal OUtlook issue, see:http://support.microsoft.com/kb/940726"Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007-based server: "The name of the security certificate is invalid or does not match the name of the site""Note that Exchange 2007 is not supported on Windows 2008 R2:http://msexchangeteam.com/archive/2009/09/21/452567.aspx"Exchange Server 2007 SP2 and Windows Server 2008 R2 "
Free Windows Admin Tool Kit Click here and download it now
September 28th, 2009 9:07pm

The easiest ways to do this, is to use the Exchange 2007 SSL CSR Command Wizard https://www.digicert.com/easy-csr/exchange2007.htmThis tool will generate the needed PowerShell certificate request for you.Common name: webmail.faysharpe.com (for OWA, Outlook Anywhere, ActiveSync) For Subject Alternative Names, Microsoft recommends including your Exchange server's NetBIOS name, its FQDN, and autodiscover.yourdomain.com. So this would be* e2k7* e2k7.faysharpe.net * autodiscover.faysharpe.com For roaming mobile devices it could be a good idea to establish a split-brain DNS:Ad webmail.faysharpe.com as a new forward lookup zone, referring to an internal private IP address.P.S. There is no longer OMA.Jon-Alfred Smith MCTS: Messaging MCSE: S+M
September 28th, 2009 9:54pm

Hi, Yes, we suggest you apply for a SAN certificate in the current situation, a great article sharing with you: More on Exchange 2007 and certificates - with real world scenario http://msexchangeteam.com/archive/2007/07/02/445698.aspx Hope this helps. Thanks, Elvis
Free Windows Admin Tool Kit Click here and download it now
September 29th, 2009 11:45am

Thank you for the feedback, all. I've applied for a cert with a 3rd party vendor and am merely awaiting its return.
September 30th, 2009 6:53pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics