Microsoft Exchange and Blackberry Server Specialists

Single Name SSL Certificate

On this Page

  • Requirements
  • Initial Configuration Internal Operation
  • Script for Exchange Server Configuration
  • External Configuration
  • References

Exchange 2007 Version

Introduction

Exchange 2010 relies heavily on web services, and to secure those services, uses SSL certificates. By default, when you install Exchange 2010 it generates an SSL certificate for you. However that certificate will generate prompts outside of the network, when used with OWA etc. Furthermore it is not supported for use with ActiveSync or Outlook Anywhere.
Therefore to ensure that you do not get any certificate prompts, you need to change the SSL certificate for a commercial trusted SSL certificate. 

Ideally, you should be deploying a SAN (Subject Alterative Name) or UC (Unified Communications) certificate. These will contain the additional names that you need to use with Exchange 2010, including the name for OWA and autodiscover.example.com. The process to deploy the preferred certificate type is here.

However for various reasons, including the cost or investment in an existing SSL certificate, you may not wish to purchase an additional certificate.
Therefore using a single name certificate is an attractive option, particularly when you can get a new certificate https://CertificatesForExchange.com for US$30/year.
However until a change introduced by Microsoft with Outlook 2007 SP1, using a single name certificate involved multiple certificates and multiple sites. With the introduction of Windows 2008, and Microsoft stating that Outlook Anywhere outside of the Default Web Site is not a supported configuration, this method became redundant.

However configuring Exchange to use a single name certificate can be complicated, and this guide will show you what you need to do.

Unified Messaging

If you are using Unified Messaging then you cannot use this process for the UM role. UM requires that the server's real name is located in the SAN certificate. With a single name certificate you will find that you are unable to enable the certificate for the UM role. Therefore you will have to change the certificate to a UC/SAN type certificate with the required names in it.

Requirements

  • Exchange 2010
  • Outlook 2007 SP1 or higher - This is a HARD requirement if you are going to use Outlook Anywhere, as the settings used were introduced in the Service Pack.
  • SRV record support at your external DNS host - again this is a HARD requirement to use Outlook Anywhere and you should not start on these changes unless you can set these types of records.
    If you do not have SRV support at your external DNS host then you should not make these changes. It does rely on the SRV records to work correctly.
    You have two options.
    1. Transfer to another domain name service provider that supports SRV records, such as GoDaddy https://CertificatesForExchange.com .
    2. Purchase a SAN certificate, which contains the additional names required.
       
  • Commercial SSL certificate
    If you need to purchase a single name SSL certificate then you can do so from https://CertificatesForExchange.com however if you already have a regular SSL certificate - perhaps from an Exchange 2003 deployment, then that certificate can be used - that is who this article is aimed at.

Initial Configuration - for Internal Operation

The first thing to do is get it working internally. There are a number of reasons for this, the main one being that the entire environment is under your control and can be checked thoroughly as you go along. These settings also apply if you are going to use Exchange 2010 exclusively internally, so no Outlook Anywhere or ActiveSync use.

  1. Setup Split DNS
    You need to setup a split DNS system so that your external name on the certificate resolves internally to the internal IP address of the Exchange server.
    For example, if your certificate was issued to mail.example.net and your Exchange server was on 192.168.11.2 then you would need to ensure that mail.example.net resolves internally to 192.168.11.2. To ensure that DNS works correctly for the zone, you may have to put in additional entries - for example "www" to allow www.example.net to resolve. Refer to our split DNS instructions here: Split DNS.
     
  2. Autodiscover DNS settings.
    You need to make some additional settings in the internal DNS zone.
    1. Remove any existing entries for autodiscover from the DNS zone.
    2. Second, in the DNS zone, right click on the Zone and choose "Other New Records". Choose "Service Location (SRV)" 
      Fig 1: Select Resource Record Type
      Fig 1: Select Resource Record Type

       

    3. Remove the field that comes up by default (_finger) and replace with _autodiscover. For the protocol choose _tcp (which should be the default). Leave priority and weight as the default (0) and set the port as 443.
      Finally set the host as mail.example.net

      Fig 2: New Resource Record
      Fig 2: New Resource Record

      Do not attempt to use another port. As with Outlook Anywhere, it is hard coded to use port 443. Using another port does not enhance your network security, as you do not get security by obscurity.

  3. Certificate Settings in Exchange 2010.
    You need to ensure that your external certificate is imported in to Exchange correctly, so that it is used for all services. Follow the certificate installation guidelines here.
     
  4. Web Services URLs and Other Client Access Settings
    A number of changes have to be made within the Exchange URLs to use the external host name as per the SSL certificate. Follow our Web Services And Other Client Access Host Names guide for instructions on what to change.
     

External Configuration

For this method to work externally, you need to make the following changes

  • Open port 443 on the firewall.
    This is the only port that is required for Exchange web based services. You do not need to open any other ports - certainly not 80 or anything in the 6xxx range that you may have read elsewhere.
    For Exchange to operate fully it only requires two, at most three ports to be open - 443 (https), 25 (SMTP), 587 (legacy TLS/SSL port).
    You only need to open port 110 (POP3) and 143 (IMAP) if you are supporting those protocols.
  • Add SRV DNS records to the external DNS configuration.
    You should have already confirmed that this is a supported configuration from your domain name management service. If it is not, then you will be unable to use this method until you transfer to a domain name management service that does. 

References

Elsewhere on this site

Split DNS: http://exchange.sembee.info/network/split-dns.asp

Author's Blog

Unified Messaging Requires the Server Name in the SSL Certificate: http://blog.sembee.co.uk/post/Unified-Messaging-Requires-the-Server-Name-in-the-SSL-Certificate.aspx 

Third Party Sites

Certificate Supplier: https://CertificatesForExchange.com

Microsoft Knowledgebase

Warning message when you start Outlook 2007 and then connect to a mailbox that is hosted on an Exchange 2007-based server: "The name of the security certificate is invalid or does not match the name of the site"
http://support.microsoft.com/kb/940726

A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service
http://support.microsoft.com/kb/940881

Requires Outlook 2007 SP1 or higher or this roll up: http://support.microsoft.com/kb/939184  (June 27th 2007)