0

SBS 2008 server the third party SSL certificate has just expired!!

trying to renew with a two year, SAN/Multi-Domain SSL

going through the SBS Console Adding a new cert and get the CSR copy/paste into the website to generate the cert it shows me my external domains AND my .local domain...

  • ~ExtDomain~.co.uk
  • remote.~ExtDomain~.co.uk
  • SBS-SRV.~IntDomain~.local

we need to remove 'SBS-SRV.~IntDomain~.local' from the CSR as only external FQDN are allowed in the new SHA-2 certificates.

Exchange 2007 Shell

Get-ClientAccessServer | select name,*internal* | fl 
Get-OABVirtualDirectory | select server,name,*url* | fl
Get-WebServicesVirtualDirectory | select name,*url* | fl
Get-UMVirtualDirectory | select name,*url* | fl
Get-ActivesyncVirtualDirectory | select name,*url* | fl
Get-OwaVirtualDirectory | select name,*url* | fl
Get-OutlookAnywhere | fl

all the above (and variants with out filters) are showing InternalURL and ExternalURL as the correct ExtDomain names

i.e. 

[PS] C:\>Get-ClientAccessServer | Select Name, *Internal* | fl
Name    : xxxxxx-srv
AutoDiscoverServiceInternalUri : https://remote.xxxxxx.co.uk/Autodiscover/Autodiscover.xml

[PS] C:\>Get-OABVirtualDirectory | select server,name,*url* | fl
Server      : xxxxxx-srv
Name        : OAB (SBS Web Applications)
InternalUrl : https://remote.xxxxxx.co.uk/OAB
ExternalUrl : https://remote.xxxxxx.co.uk/OAB

[PS] C:\>Get-WebServicesVirtualDirectory | Select name, *url* | fl
Name                 : EWS (SBS Web Applications)
InternalNLBBypassUrl : https://xxxxxx-srv.xxxxxx.local/EWS/Exchange.asmx
InternalUrl          : https://remote.xxxxxx.co.uk/EWS/Exchange.asmx
ExternalUrl          : https://remote.xxxxxx.co.uk/EWS/Exchange.asmx

I have read lots of posts but all was OK and I havnt needed to change anything

ref - http://support.microsoft.com/en-us/kb/940726

Any ideas?

Many Thanks.

Sparki
  • 143
  • 6
  • 1
    Yup, it's time to migrate to a new forest. One that conforms to proper Active Directory naming practices, and doesn't use an illegal/invalid DNS name. May as well ditch SBS 2008, while you're at it, since EoL for that is only a couple years out. – HopelessN00b Apr 08 '15 at 14:38
  • HopelessN00b, Nice, thanks for the input... EoL in a couple of years gives the client time to save ££ to upgrade, but till then need a fix. – Sparki Apr 08 '15 at 14:44
  • 2
    Well, the problem is that it's broken **now** because their Active Directory has an invalid DNS name, and public certificate authorities will no longer issue certificates for such domains. The solution is to migrate to a properly named domain. **Full stop**. Since the platform their current domain is on is near the end of its life, it would probably be advisable to migrate to a newer platform *while you're at it* than to migrate to a new SBS 2008 domain, only to have to migrate again in ~2 years when the platform goes EoL. Either way, the answer is "migrate to a new domain with a proper name." – HopelessN00b Apr 08 '15 at 14:49
  • Please define "a properly named domain"?? – Sparki Apr 08 '15 at 21:19

1 Answers1

1

Fire up your own internal CA. Issue a cert with whatever names you need/want on it. Use Active Directory to deploy it to your domain-joined clients. Users who are not members of your Active Directory domain will get certificate errors that they will have to ignore until you've migrated to an adequately named domain and can once again replace with a globally trusted certificate.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • Please define "an adequately named domain"?? – Sparki Apr 08 '15 at 21:22
  • @Sparki We've talked about it a lot on this site: http://serverfault.com/questions/76715/windows-active-directory-naming-best-practices – Ryan Ries Apr 08 '15 at 22:20
  • @Sparki [Feel free to see the question I asked about Active Directory naming](http://serverfault.com/q/567775/118258) last year, which links other questions on the topic, Microsoft's official recommendation and other third party resources. – HopelessN00b Apr 08 '15 at 22:21
  • Thanks, all very well and dandy, but... "The Active Directory Domain Service (AD DS) name extension (.local) is automatically appended to the internal domain name to form a full DNS name (for example, contoso.local)." - https://technet.microsoft.com/en-us/library/cc626155(v=ws.10).aspx – Sparki Apr 09 '15 at 13:49
  • From the very same article you cited: "If you want to use an AD DS name extension other than .local, you must specify the full DNS name." You're going to have to rename your domain... we've already covered this. – Ryan Ries Apr 09 '15 at 14:00
  • Just making the point that SBS 2008 this was standard practice and recommended by Microsoft. I have an issue with a .local internal domain and I'm getting shot down for it. I came here for some advice and possibly a nudge in the right direction for a fix to an issue and wanted a decent answer other than "Your wrong, bin it"... – Sparki Apr 09 '15 at 14:11