SSL certificates have been around for quite a while. You get normal SAN certificates, where you can have one or more names on the certificate or you have a certificate where you use your domain in the wildcard and you can have any name upfront that you want. For example, your wildcard might be *.domain.com and you can have mail.domain.com or vip.domain.com. A few years back, when you created your SSL certificate request on Exchange 2007 and 2010, you could include your server names in the certificate. So, for example, you would have mail.domain.com and Server1.domain.com and Server2.domain.com. Mail.domain.com would be resolvable on the Internet but not your server names. You would not be able to do a lookup on Server1.domain.com first and with security getting tighter, your internal server names are now visible on the Internet. However, a change was made, and when you ordered your SSL certificates you could no longer use internal names — only public names were accepted.
This caused a bit of an outrage with customers as they wanted to have the server names on their SSL certificates and did not want to pay for a new one or go through the process of renewing the certificate with a public name. This would mean changing DNS records internally and also updating applications like Exchange.
What to do?
“What are my options,” you may ask? Well, you could use an internal certificate authority to issue the certificate to your Exchange server, but when people are going to access Outlook Web Access (OWA) they would get certificate errors because the root CA is not trusted or not known. ActiveSync will not work or give you errors as well. So, using an internal certificate authority is not going to work.
OK, so you say, “I will get a free SSL certificate.” No!!! You don’t know who the signing authority is and you could end up with someone spoofing your domain or hijacking your certificate and then causing more issues with Exchange and your environment. Remember, your SSL certificate does not only live on your Exchange server, it has to be on your load balancers and anything else offloading traffic.
The change is massive, especially in companies that might have many certificates and the replacements would mean many hours are spent renewing certificates and then changing all servers and appliances in the environment. Well, actually, it shouldn’t be an issue if you use an authority like DigiCert or RapidSSL as you can go in and change the names on the SSL certificate and it will be reissued for you to go and add to your servers and load balancers. A .PFX certificate can be imported to IIS (Internet information system) on your Exchange server and then you can just assign services to the new certificate. The same applies to your load balancer, for example, F5 or Kemp.
Now if you didn’t update your Exchange URLs, you would need to do so as the internal name configured on the URLs would cause issues like popups on Outlook to say the name is invalid or the certificate is invalid. This then causes frustration for your users because they either cannot launch Outlook or keep getting popups when Outlook checks in the background or Outlook Web Access will give certificate errors.
Some companies do not want users to access email externally. This includes Outlook Web Access, Outlook, ActiveSync, and remote PowerShell for IT staff.
Using Exchange with an Internal Certificate Authority (CA) is then fine because the servers will always query internally and they don’t have to worry about certificate errors externally. However, when a new CIO or the board of directors decides they want to have access, well then you will have some work on your hands to update certificates and URLs and DNS externally. You see how quickly the list of issues grows.
The best thing is to buy the SSL certificate, which will cost about $400. (It may be higher or lower depending on what external certificate authority you choose.) Do not complain about the price. Why? Because data is one of the most valuable items today and if you do not secure your environment with a reputable SSL certificate and expose your information to the Internet, your free SSL certificate could be intercepted by a hacker who wants to do damage.
SSL certificates: Do not take the easy way out
As I mentioned in one of my previous posts on handling a broken Exchange server, do not take the easy way out. Spend the time and do things properly, discuss it with your IT managers in detail if they are challenging you. Remember, if you have to build a new server that will handle certificate requests internally, it is an additional Windows license cost and if you are on older versions like Server 2008 or R2, you will need to upgrade — and upgrades mean a higher cost to maintain the server.
SSL certificates only need to be renewed every two years. Take the cost of the certificate and divide it by 24 and you will see it’s not actually that expensive. When it comes to server names, yes you can see the information in the header of an email for example but not from Outlook Web Access unless you edit the HTML page and add it.
If you want to know more about why internal names and reserved IP addresses were changed, you can view it here. The CAB forum will explain it in detail for you.
Featured image: Flickr / Bo-Yi Wu