1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Exchange certificate advice needed.

Discussion in 'Software' started by nugget, Oct 31, 2007.

  1. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Here's a tricky one for all you exchange guru's out there.

    I need to create a UUC certificate for my exchange 2007 server. I have the right cmdlet but I'm not 100 % sure about the domain names that I need to put in.


    New-ExchangeCertificate -GenerateRequest -SubjectName "c=CH, o=ESBATech AG, cn=ESBA-MAIL.ESBATech.int" -IncludeAcceptedDomains -DomainName webmail.esbatech.com,autodiscover.esbatech.com -privatekeyexportable $true -Path c:\exchcert.req


    ESBA-MAIL is the name of our exchange server.

    As you see our internal domain name is .int and not .com, I don't know if this will make a difference.
    Webmail dns mx record is pointed to our external IP address.

    Ideally I'd also like to include the autodiscover in the certificate for external users with their laptops but I was told this morning that it is a security hole at the moment (so this is not a necessity at the moment unless someone knows better).

    I also need to include some mobile devices that need to use active-sync and push mail.

    Is the above script okay or does it need modifying? Any and all help appreciated.:D
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  2. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Okay, this is what I ran in Exchange powershell to create the certificate request.

    New-ExchangeCertificate -domainname webmail.esbatech.com, esbatech.com, esbatech.int, autodiscover.esbatech.com, esba-mail.esbatech.int, esba-mail -Friendlyname ESBATech -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true -subjectname "c=CH o=ESBATech AG, CN=esba-mail.esbatech.com"

    I generated the certificate, put it into the CA's site and it was rejected as invalid with the message "Subject Alt Name(s)".

    I did it a second time with -subjectname ..... CN=esba-mail.esbatech.com" changed to CN=esbatech.com" with the same result.

    Any ideas much appreciated. :scratch
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  3. onoski

    onoski Terabyte Poster

    3,120
    51
    154
    Nugget to be honest you'd get informed and working help from Microsoft web site or a general search on google.
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  4. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Well, yes I suppose I would, if I could find the right page to help me. I've been trawling MS Technet all day as well as the web, about 10 different Exchange sites and forums as well as newsgroups too.

    It seems to me that MS don't use their own best practices in domain naming. They recommend not using the same name as your web presence (ie .com) so to name your domain .local for example (which we have done). The only examples they give on technet is for their site contoso.com which everybody else seems to give too.

    Except for these guys, I can't find any other info (or examples) about using a different internal domain name.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  5. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Got it sorted. Here is the script that I needed to use.

    New-ExchangeCertificate -GenerateRequest -SubjectName "c=CH, o=ESBATech AG, cn=webmail.esbatech.com" -DomainName webmail.esbatech.com, esbatech.com, esbatech.int, autodiscover.esbatech.com, esba-mail.esbatech.int, esba-mail -privatekeyexportable $true -keysize 1024 -Path c:\certReq.txt

    As you see the CN points to the outside reference eg webmail.esbatech.com and not to the internal server.

    Me happy now :biggrin
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685

Share This Page

Loading...