1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem SBS2008 and SSL Certificates

Discussion in 'Software' started by westernkings, May 30, 2011.

  1. westernkings

    westernkings Gigabyte Poster


    I bought a Verisign SSL (30 day free trial) with a single name. I put it into the wizard and confirmed that all Web Applications worked fine via SSL, as did outlook anywhere (via autodiscover and manually). All is well so far.

    Problem was that internal users connecting to exchange via servername.domain.local then got a certificate error every time they started outlook.

    The work around for that was to use EMS to change the internal URLs to the External. This removed the certificate error but then internal users got the Password prompt on starting outlook just like Outlook Anywhere users do.

    My question is this:

    The certificate wizard created the request and therefore only included the external address, to my knowledge I would have to create a SAN certificate with both Internal and External addresses but if I did this, I wouldn't be able to use the wizard to import it and as any users of SBS 2008 know, it's always best to try and use the wizards.

    So what do I need to do? use the wizard, generate the request, send to Verisign (for example) and ask them to create a SAN certificate with the internal name as well? or am I being completely stupid and missing something.

    Either way, it is completely unacceptable for a certificate error or a password prompt for internal users. :eek:

    Also, has any one noticed that when you do import using the wizard, it adds the 443 binding to the Default Web Site which means it cannot start because Web Applications is using the ports? is this an oversight by Microsoft or are you supposed to install any internal web sites into the Web Applications section?
    Last edited: May 30, 2011
  2. craigie

    craigie Terabyte Poster

    The wonders off SBS mate.

    Use EMS to create the SAN certificate and you will be golden, the easy way is to use Digi Cert URL hear https://www.digicert.com/easy-csr/exchange2007.htm
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  3. GSteer

    GSteer Megabyte Poster

    It all depends on the certificate vendor as well, ours for instance allows us to manually add SANs during the certificate creation process. With SBS2008 and ergo Exchange 2007 you'll want the common name for external access, default is remote.externaldomainname and for the SANs we use the following additional four: Internal and External Autodiscover records, Internal DNS FQDN of server and to fill the fourth the netbios name for legacy stuff.

    As an example, say our external domain is shadow.com, our internal domain is shadow.local and our server is called SBS, you'd want

    CN: remote.shadow.com (if you are using the default)
    SAN: autodiscover.shadow.com
    SAN: autodiscover.shadow.local
    SAN: sbs.shadow.local
    SAN: sbs
    Certifications: BSc. (Comp. Sci.), MBCS, MCP [70-290], Specialist [74-324], Security+, Network+, A+, Tea Lord: Beverage Brewmaster | Courses: LFS101x Introduction to Linux (edX)
    WIP: CCNA Routing & Switching

Share This Page