0

I'm looking to roll out Exchange 2013. We also have various web facing properties.

We have an internal domain name of ourdomain.local and an external domain name of ourdomain.com.

To keep things as simple as possible I'd like to a SAN certificate that supports wild cards. My thinking is that I would have the following domains:-

ourdomain.com *.ourdomain.local *.ourdomain.com

I know that .local and other non-registered internal domains will not be able to be registered after 2015 (https://cabforum.org/internal-names/) so I need a long life cert. I also know that this set up won't be a secure as some other solutions.

Has anyone used a SAN certificate that also supports wildcards for Exchange?

Christopher Edwards
  • 718
  • 1
  • 8
  • 19
  • Could you create your own certificate and distribute them to your devices? Or is bring-your-own-device support a requirement ni your setup? – Joffrey Oct 09 '14 at 14:14
  • @Joffrey - It's BYOD for activesync devices. – Christopher Edwards Oct 09 '14 at 14:18
  • Millions of shops have this issue - it's due to the customer having started off with SBS 10+ years ago. – Christopher Edwards Oct 09 '14 at 14:20
  • 2
    @ChristopherEdwards - I am, actually, familiar w/ time value of money. The environment is only going to get larger and more entrenched. Fixing a problem now is nearly always preferable, to me, vs putting it aside for another day. I suppose there's a likelihood that the Customer is going to end up , a few years, w/ no on-site infrastructure, so hedging for the future might be a good bet-- but it might not be. I'll leave your question for others to answer. (If you haven't rolled Exchange 2007 or newer yet a domain rename is actually very feasible and wouldn't cost "10,000's".) – Evan Anderson Oct 09 '14 at 14:26
  • We have rolled out Exchange 2007. – Christopher Edwards Oct 09 '14 at 14:28
  • `I know that .local and other non-registered internal domains will not be able to be registered after 2015 (https://cabforum.org/internal-names/) so I need a long life cert` This is not an option, because they've also imposed a limit on the expiration date for certs with invalid TLDs. Forced my employer to do an AD migration project with their Exchange upgrade... and that's what's best for your employer or client too. If you can't get them to do that, the best you'll be able to do is kick the can a couple years down the road, or set up some convoluted, support nightmare for DNS. – HopelessN00b Oct 09 '14 at 17:08

1 Answers1

2

You can simply use split-brain DNS to mirror your "ourdomain.com" public entries, substituting the internal IPs for your Exchange hosts, and do this with one proper SAN cert.

Per Paul Cunningham, you could also use an internal PKI for the .local certs and use a proper public cert for your public entries.

mfinni
  • 36,144
  • 4
  • 53
  • 86
  • Yeah I was considering that (first part). My worry is I have seen issues with this approach and DNS caching. Someone has their iphone in the office connected the WLAN, they go outside the office then switch to 3G but can't reach the activesync because they have a cached non-routable address. If I get no bites on this question I'll probably have internal and external users both access the external IPs of the servers. – Christopher Edwards Oct 09 '14 at 14:34