Installing a SSL certificate on an Exchange 2007 server is about the most unnessecarily complicated task I have come across to date. Unlike 2003, you have several names that this certificate needs to respond to, called SANs or 'Subject Alternative Names' such as autodiscover, mail (or your external fqdn), your internal dns name, and your internal netbios name. This certificate is so conveluted that most SSL certificate companies have a special process JUST for creating Exchange2007 certificates (and a REALLY special price to go with it...)
This site makes the process a little less painful by explaining in clear english step by step what needs to be done to generate the request from Exchange which you then submit to your CA (or external CA such as Entrust) so that you can get your .cer and move on.
http://exchangeninjas.com/cascert
Microsoft even links to that site, as well as other useful sources (such as vendors that provide these special Exchange certificates) in this site:
http://support.microsoft.com/?id=929395
-----------UPDATE---------------
Just another site that has proved useful to me in configuring an Exchange 2007 server with a UCC (multi SAN certificate):
http://www.sembee.co.uk/archive/2008/05/30/78.aspx
-----------UPDATE---------------
After doing some reasearch and consulting with some of my fellow techs, I found an article that describes how you can actually implement an Exchange 07 server (in a supported manner) that needs only a single name SSL certificate. The site is here:
http://www.amset.info/exchange/singlenamessl.asp
The major limitations of going this way are that you cannot use UC in Exchange 07 if you use this method, and your external DNS host MUST support SRV records (not a lot of them do...).
No comments:
Post a Comment