- Certificate Authorities (CA’s) will not issue SSL certificates with an expiry date later than November 1, 2015 whose Subject Alternative Name (SAN) or Common Name (CN) field contains an internal server name or reserved IP.
- Effective October 1, 2016 Certificate Authorities (CA’s) will revoke all unexpired SSL certificates whose Subject Alternative Name (SAN) or Common Name (CN) field contains an internal server name or reserved IP.
All certificate authorities (CA’s) will no longer issue SSL certificates for invalid Fully-Qualified Domain Names (FQDNs) with an expiration date later than November 1, 2015.
The reason for these issuance changes is because invalid FQDNs are not unique names and therefore easy to falsify.
View the following whitepaper from the CA/Browser forum for additional information on this specific change:
Internal Server Names and IP Address Requirements for SSL
Microsoft Exchange
Many people use SAN SSL Certificates for Microsoft Exchange 2007 or 2010. It is recommended that these certificates be modified from an internal server name to an external server name as soon as possible. Additional information can be viewed at the end of this article for:
How to modify .local in Exchange 2007
How to modify .local in Exchange 2010
Article: http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/
Alternatives
A possible alternative for this change is by using an additional external name. This can be a sub domain of your main domain (eg server01.example.com) or by using a .net domain name (.net = network) like server01.example.net.
Until now, the amended legislation applies only for Domain Validated (DV) SAN certificates. SSL Certificates for which the organization has been validated (OV) do not have to deal with this change. Upgrading your DV certificate to an OV certificate is another alternative.
More information
More information can be viewed by visiting the CA/Browser forum website at https://www.cabforum.org/ or by viewing the CA/Browser Forum Baseline Requirements for the issuance and Management of Publicly-Trusted Certificates at:
http://www.cabforum.org/Baseline_Requirements_V1.pdf
Modify .local in Exchange 2007
Follow the instructions to transfer your internal name to an external name.
-
Start the Exchange Management Shell.
-
Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
https://mail.contoso.com/autodiscover/autodiscover.xml -
Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)"
-InternalUrl https://mail.contoso.com/ews/exchange.asmx -
Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)"
-InternalUrl https://mail.contoso.com/oab -
Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Nameunifiedmessaging (Default Web Site)"
-InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose. -
Open IIS Manager.
-
Expand the local computer, and then expand Application Pools.
-
Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Modify .local in Exchange 2010
Follow the instructions to transfer your internal name to an external name.
- Start the Exchange Management Shell.
- Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
https://mail.contoso.com/autodiscover/autodiscover.xml - Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)"
-InternalUrl https://mail.contoso.com/ews/exchange.asmx - Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)"
-InternalUrl https://mail.contoso.com/oab - Open IIS Manager.
- Expand the local computer, and then expand Application Pools.
- Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
