Exchange certificate advice needed.

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Here's a tricky one for all you exchange guru's out there.

I need to create a UUC certificate for my exchange 2007 server. I have the right cmdlet but I'm not 100 % sure about the domain names that I need to put in.


New-ExchangeCertificate -GenerateRequest -SubjectName "c=CH, o=ESBATech AG, cn=ESBA-MAIL.ESBATech.int" -IncludeAcceptedDomains -DomainName webmail.esbatech.com,autodiscover.esbatech.com -privatekeyexportable $true -Path c:\exchcert.req


ESBA-MAIL is the name of our exchange server.

As you see our internal domain name is .int and not .com, I don't know if this will make a difference.
Webmail dns mx record is pointed to our external IP address.

Ideally I'd also like to include the autodiscover in the certificate for external users with their laptops but I was told this morning that it is a security hole at the moment (so this is not a necessity at the moment unless someone knows better).

I also need to include some mobile devices that need to use active-sync and push mail.

Is the above script okay or does it need modifying? Any and all help appreciated.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Okay, this is what I ran in Exchange powershell to create the certificate request.

New-ExchangeCertificate -domainname webmail.esbatech.com, esbatech.com, esbatech.int, autodiscover.esbatech.com, esba-mail.esbatech.int, esba-mail -Friendlyname ESBATech -generaterequest:$true -keysize 1024 -path c:\certrequest.req -privatekeyexportable:$true -subjectname "c=CH o=ESBATech AG, CN=esba-mail.esbatech.com"

I generated the certificate, put it into the CA's site and it was rejected as invalid with the message "Subject Alt Name(s)".

I did it a second time with -subjectname ..... CN=esba-mail.esbatech.com" changed to CN=esbatech.com" with the same result.

Any ideas much appreciated.

 

Nugget to be honest you'd get informed and working help from Microsoft web site or a general search on google.

 

Well, yes I suppose I would, if I could find the right page to help me. I've been trawling MS Technet all day as well as the web, about 10 different Exchange sites and forums as well as newsgroups too.

It seems to me that MS don't use their own best practices in domain naming. They recommend not using the same name as your web presence (ie .com) so to name your domain .local for example (which we have done). The only examples they give on technet is for their site contoso.com which everybody else seems to give too.

Except for these guys, I can't find any other info (or examples) about using a different internal domain name.

 

Got it sorted. Here is the script that I needed to use.

New-ExchangeCertificate -GenerateRequest -SubjectName "c=CH, o=ESBATech AG, cn=webmail.esbatech.com" -DomainName webmail.esbatech.com, esbatech.com, esbatech.int, autodiscover.esbatech.com, esba-mail.esbatech.int, esba-mail -privatekeyexportable $true -keysize 1024 -Path c:\certReq.txt

As you see the CN points to the outside reference eg webmail.esbatech.com and not to the internal server.

Me happy now