► Manage Account

Portal Home > Knowledgebase > SSL Certificates > Support Documents > Improved Guidelines for Issuance of SAN SSL Certificates


Improved Guidelines for Issuance of SAN SSL Certificates




  • Certificate Authorities (CA’s) will not issue SSL certificates with an expiry date later than November 1, 2015 whose Subject Alternative Name (SAN) or Common Name (CN) field contains an internal server name or reserved IP.
  • Effective October 1, 2016 Certificate Authorities (CA’s) will revoke all unexpired SSL certificates whose Subject Alternative Name (SAN) or Common Name (CN) field contains an internal server name or reserved IP.


All certificate authorities (CA’s) will no longer issue SSL certificates for invalid Fully-Qualified Domain Names (FQDNs) with an expiration date later than November 1, 2015.

Invalid FQDNs are names that cannot have the ownership verified and are common for internal use (eg: .local). Along with invalid FQDNs, SSL certificates will no longer be issued for reserved IP addresses which are also common for internal server use.

The reason for these issuance changes is because invalid FQDNs are not unique names and therefore easy to falsify.

View the following whitepaper from the CA/Browser forum for additional information on this specific change:
Internal Server Names and IP Address Requirements for SSL


Microsoft Exchange

Many people use SAN SSL Certificates for Microsoft Exchange 2007 or 2010. It is recommended that these certificates be modified from an internal server name to an external server name as soon as possible. Additional information can be viewed at the end of this article for:
How to modify .local in Exchange 2007
How to modify .local in Exchange 2010

Article: http://exchangeserverpro.com/ssl-requirements-for-exchange-when-certificate-authorities-wont-issue-certificate/


Alternatives

A possible alternative for this change is by using an additional external name. This can be a sub domain of your main domain (eg server01.example.com) or by using a .net domain name (.net = network) like server01.example.net.

Until now, the amended legislation applies only for Domain Validated (DV) SAN certificates. SSL Certificates for which the organization has been validated (OV) do not have to deal with this change. Upgrading your DV certificate to an OV certificate is another alternative.


More information

More information can be viewed by visiting the CA/Browser forum website at https://www.cabforum.org/ or by viewing the CA/Browser Forum Baseline Requirements for the issuance and Management of Publicly-Trusted Certificates at:
http://www.cabforum.org/Baseline_Requirements_V1.pdf

Modify .local in Exchange 2007

Follow the instructions to transfer your internal name to an external name.

 

  1. Start the Exchange Management Shell.

  2. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER:
    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
    https://mail.contoso.com/autodiscover/autodiscover.xml

  3. Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
    Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)"
    -InternalUrl https://mail.contoso.com/ews/exchange.asmx

  4. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
    Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)"
    -InternalUrl https://mail.contoso.com/oab

  5. Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
    Set-UMVirtualDirectory -Identity "CAS_Server_Nameunifiedmessaging (Default Web Site)"
    -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx

    Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.

  6. Open IIS Manager.

  7. Expand the local computer, and then expand Application Pools.

  8. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

 

Modify .local in Exchange 2010

Follow the instructions to transfer your internal name to an external name.

  1. Start the Exchange Management Shell.
  2. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER:
    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
    https://mail.contoso.com/autodiscover/autodiscover.xml
  3. Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
    Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)"
    -InternalUrl https://mail.contoso.com/ews/exchange.asmx
  4. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
    Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)"
    -InternalUrl https://mail.contoso.com/oab
  5. Open IIS Manager.
  6. Expand the local computer, and then expand Application Pools.
  7. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.




Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read