0

I have a machine running Server 2003 R2 and Exchange 2007. When it was originally set up (before my time) a self-signed certificate was installed, however, it's about to expire and now seems like a good time to fix it.

My question is - when buying a certificate, can I buy it for a single domain or do I need multiple domains? The machine itself is behind a hardware gateway, and it is the only Exchange server we have. We access OWA externally at https://webmail.example.org, however, that should be the only place we actually need a proper certificate, right? Shouldn't it suffice to just self-sign all the internal certificates that Exchange needs and buy a real cert for the external access? What about securing SMTP/IMAP connections externally?

  • I'll give some more info on my setup: Everything is behind a single gateway and all external subdomains are just CNAMEs to the main domain. Internally clients only use Outlook to access email, externally only IMAP and SMTP are available, also OWA. We don't support ActiveSync. We don't use Office 2007 yet but will be in the near future, however autodiscovery will only be for internal use - we just tell users to use use example.org for IMAP/SMTP. –  Oct 04 '09 at 00:00

4 Answers4

2

Also depends in what -- if anything -- you're using for management; in some cases SCOMs requries a certificate (I don't know the details). I set up a cert for a Exchange 2007 hosted at a IaaS site, and ended up with 5 names on the cert...

Examine your needs .. a shopping list to get started with is:

  • The computers internal NetBIOS network name.
  • The computers internal fully qualified network name.
  • webmail.companyname.com -- for Outlook Web Access, and PDA's.
  • mail.companyname.com -- or whatever name you have set up in public DNS (MX) for this server if you have public SMTP on the server.
  • autodiscover.companyname.com -- if you use Office 2007 Autodiscovery.

Some certificate vendors have specific instructions for Exchange servers -- there may be others / better deals out there; I haven't researched this recently.

  • There's a detailed explanation of how to format the Certificate request in the Exchange Powershell Console in this article on isaserver,org - http://www.isaserver.org/tutorials/Publishing-Exchange-2007-OWA-Exchange-ActiveSync-RPCHTTP-using-2006-ISA-Firewall-Part4.html . They recommend adding the bare domain name as a 6th subject alternate name but do admit that they aren't sure if its needed. – Helvick Oct 03 '09 at 00:19
1

Get a single 3rd party cert for "mail.example.org" and make it the cert for both by pointing OWA to "mail.example.org". If your users are used to "webmail.example.org" just redirect it.

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
  • Exchange 2007 requires a UCC certificate and you'll need to register a minimum of 4 hostnames with it - Exchange server NetBIOS name, internal FQDN, external FQDN for OWA server, autodiscover FQDN. If your MX record points to a different FQDN to the OWA server FQDN then you'll probably best add that in too. – AlexTEH Oct 03 '09 at 00:39
0

Without knowing more, I'd say you need two certificates -- one, which is signed by a third party, for webmail.example.org, and one, which can be self-signed, for the IMAP/SMTP/Exchange internal traffic.

Yes, you should be able get away with self-signing the internal certificates, especially as you can probably create a CA and install that CA certificate on your user's computers so they don't even get prompted.

Silas Snider
  • 148
  • 5
0

At a minimum, you'll want to include your OWA name, your internal server name, and an autodiscover name (autodiscover.yourdomain.com) to enable Autodiscover in newer email clients. You'll want to get a Unified Communications certificate to do this. See http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html for more information.

Robert
  • 1,575
  • 7
  • 7