Why you cannot use an Exchange server name in your SSL certificate

SSL certificates have been around for quite a while. You get normal SAN certificates, where you can have one or more names on the certificate or you have a certificate where you use your domain in the wildcard and you can have any name upfront that you want. For example, your wildcard might be *.domain.com and you can have mail.domain.com or vip.domain.com. A few years back, when you created your SSL certificate request on Exchange 2007 and 2010, you could include your server names in the certificate. So, for example, you would have mail.domain.com and Server1.domain.com and Server2.domain.com. Mail.domain.com would be resolvable on the Internet but not your server names. You would not be able to do a lookup on Server1.domain.com first and with security getting tighter, your internal server names are now visible on the Internet. However, a change was made, and when you ordered your SSL certificates you could no longer use internal names — only public names were accepted.

This caused a bit of an outrage with customers as they wanted to have the server names on their SSL certificates and did not want to pay for a new one or go through the process of renewing the certificate with a public name. This would mean changing DNS records internally and also updating applications like Exchange.

What to do?

“What are my options,” you may ask? Well, you could use an internal certificate authority to issue the certificate to your Exchange server, but when people are going to access Outlook Web Access (OWA) they would get certificate errors because the root CA is not trusted or not known. ActiveSync will not work or give you errors as well. So, using an internal certificate authority is not going to work.

OK, so you say, “I will get a free SSL certificate.” No!!! You don’t know who the signing authority is and you could end up with someone spoofing your domain or hijacking your certificate and then causing more issues with Exchange and your environment. Remember, your SSL certificate does not only live on your Exchange server, it has to be on your load balancers and anything else offloading traffic.

The change is massive, especially in companies that might have many certificates and the replacements would mean many hours are spent renewing certificates and then changing all servers and appliances in the environment. Well, actually, it shouldn’t be an issue if you use an authority like DigiCert or RapidSSL as you can go in and change the names on the SSL certificate and it will be reissued for you to go and add to your servers and load balancers. A .PFX certificate can be imported to IIS (Internet information system) on your Exchange server and then you can just assign services to the new certificate. The same applies to your load balancer, for example, F5 or Kemp.

Common issues

Now if you didn’t update your Exchange URLs, you would need to do so as the internal name configured on the URLs would cause issues like popups on Outlook to say the name is invalid or the certificate is invalid. This then causes frustration for your users because they either cannot launch Outlook or keep getting popups when Outlook checks in the background or Outlook Web Access will give certificate errors.

Some companies do not want users to access email externally. This includes Outlook Web Access, Outlook, ActiveSync, and remote PowerShell for IT staff.

Using Exchange with an Internal Certificate Authority (CA) is then fine because the servers will always query internally and they don’t have to worry about certificate errors externally. However, when a new CIO or the board of directors decides they want to have access, well then you will have some work on your hands to update certificates and URLs and DNS externally. You see how quickly the list of issues grows.

The best thing is to buy the SSL certificate, which will cost about $400. (It may be higher or lower depending on what external certificate authority you choose.) Do not complain about the price. Why? Because data is one of the most valuable items today and if you do not secure your environment with a reputable SSL certificate and expose your information to the Internet, your free SSL certificate could be intercepted by a hacker who wants to do damage.

SSL certificates: Do not take the easy way out

As I mentioned in one of my previous posts on handling a broken Exchange server, do not take the easy way out. Spend the time and do things properly, discuss it with your IT managers in detail if they are challenging you. Remember, if you have to build a new server that will handle certificate requests internally, it is an additional Windows license cost and if you are on older versions like Server 2008 or R2, you will need to upgrade — and upgrades mean a higher cost to maintain the server.

SSL certificates only need to be renewed every two years. Take the cost of the certificate and divide it by 24 and you will see it’s not actually that expensive. When it comes to server names, yes you can see the information in the header of an email for example but not from Outlook Web Access unless you edit the HTML page and add it.

If you want to know more about why internal names and reserved IP addresses were changed, you can view it here. The CAB forum will explain it in detail for you.

Featured image: Flickr / Bo-Yi Wu

Edward van Biljon

Edward van Biljon is an experienced messaging specialist working in the IT and services industry. He is skilled in WSUS, domain name system, datacenters, printer support, and System Center Configuration Manager (SCCM). He has a background as a strong IT professional and has an international diploma in programming focused on computer programming.

Published by
Edward van Biljon

Recent Posts

Diebold Nixdorf ATMs targeted by jackpotting attacks

ATM manufacturer Diebold Nixdorf says its European machines are being hit by jackpotting attacks, where…

13 hours ago

Allow a home computer to connect to your Azure SQL server/database

In these days where remote computing has become crucial, you can connect your home computer…

17 hours ago

Migrating to Microsoft 365? Get the ball rolling with a trial tenant

Many companies still using Exchange Server are thinking of moving to Microsoft 365. You can…

20 hours ago

wpDiscuz WordPress plugin: Critical vulnerability found and patched

Users of the wpDiscuz interactive comment WordPress plugin should implement a new patch as soon…

2 days ago

Data lifecycle management: Policies and procedures for security and compliance

With the amount of electronic information consistently growing, data lifecycle management is crucial for compliance…

2 days ago

Deploy Windows from the cloud to on-premises hardware? Yes, you can

Wouldn’t it be nice if you could deploy Windows from the cloud while sipping an…

5 days ago