Re: 3rd party cert vs self signed
- From: "John Oliver, Jr. [MVP]" <jcoliverjr@xxxxxxxxxxx>
- Date: Thu, 2 Oct 2008 20:07:59 -0400
Elan,
Good point, I did forget about adding a Netbios name to the SAN. Thanks for your comments. Keep this up and and I will have to consider you for nomination of being an MVP!
--
John Oliver, Jr
MCSE, MCT, CCNA
Exchange MVP 2009
Microsoft Certified Partner
"Elan Shudnow" <SubstituteThisWithMyFirstName@xxxxxxxxxxx> wrote in message news:eDX8X7MJJHA.5336@xxxxxxxxxxxxxxxxxxxxxxx
Another thing is, depending on the CA, you can request a NetBIOS name in your certificate. This should allow you to use your 3rd party certificate for SMTP. Also, if you have an internal CA, you should be able to request a PKI cert and use that for SMTP.
--
Elan Shudnow
http://www.shudnow.net
"Elan Shudnow" <SubstituteThisWithMyFirstName@xxxxxxxxxxx> wrote in message news:#Ihzq2MJJHA.1160@xxxxxxxxxxxxxxxxxxxx:
I'm not an MVP, but hey, I'll give it a shot anyways!
All you need to do is disable the 3rd party certificate from doing SMTP.
You can do "Enable-ExchangeCertificate -Thumbprint thumbprinthere
-Services None" and then do another "Enable-ExchangeCertificate
-Thumbprint thumbprinthere -Services ServicesotherthanSMTP." You can
then use your self-signed certificate and enable it for anything you
want really. I would just choose SMTP. But even if you enabled the
other services, as I stated, the PKI cert will have a higher precedence.
So yes, certs can co-exist. It just depends on what services are
enabled on them and order of precedence. Since SMTP will be disabled on
the PKI cert, it will still see SMTP enabled on the self-signed cert and
use that.
--
Elan Shudnow
http://www.shudnow.net
"John Oliver, Jr. [MVP]" <jcoliverjr@xxxxxxxxxxx> wrote in message
news:#IIFHtMJJHA.4280@xxxxxxxxxxxxxxxxxxxx:
> Daniel,
>
> I don't think this is possible without renaming your domain but the > other
> MVP's may chime in with a different solution. I always recommend > naming
> internal domain with .local suffix to avoid this scenario.
>
> --
> John Oliver, Jr
> MCSE, MCT, CCNA
> Exchange MVP 2009
> Microsoft Certified Partner
>
> "Daniel Lund" <spaz@xxxxxxxxxxx> wrote in message
> news:F8A8151D-9EAA-4BB4-8318-0481B11EEB41@xxxxxxxxxxxxxxxx
>
> >I originally posted this so I could be assured of my fallback position
> >should
> > something go horribly wrong. Since instlalling the 3rd party cert
> > something
> > has happened, not horribly wrong but annoying. I posted it with a > > subject
> > of
> > "Can PKI and Self signed certs coexist" which no one has replied to > > so
> > I'll
> > include it here since it's related to this thread:
> >
> > So we obtained a 3rd party UC certificate for our external domain > > name
> > (call
> > it external.com) and installed it on our Exchange 2007 transport > > server
> > and
> > enabled it for all services. Now my Exchange clients in Outlook 2007 > > get a
> > certificate error that the internal FQDN for the transport server is > > not
> > on
> > the certificate. Which makes sense. So I went to add the internal AD
> > domain
> > name (call it internal.com) to the UC certificate. Problem is > > internal.com
> > is
> > an internet domain name registered to someone else, so Ill never get > > a
> > certificate for it. How to eliminate the error for my Excahnge > > clients.
> > The
> > self signed cert is still installed. Would I be able to remove SMTP > > from
> > the
> > 3rd party cert and enabled it on the self signed cert? If that's even
> > possible
> > would it solve the problem?
> > Thanls in advance,
> > -Dan
> >
> >
> > "Elan Shudnow" wrote:
> >
>
> >> Yep, I'll agree to this as well. If you have a PKI cert and remote
> >> users, I have no idea why you'd go back to a self-signed cert.
> >>
> >> --
> >> Elan Shudnow
> >> http://www.shudnow.net
> >>
> >>
> >>
> >> "John Oliver, Jr. [MVP]" <jcoliverjr@xxxxxxxxxxx> wrote in message
> >> news:OeHlP12IJHA.3424@xxxxxxxxxxxxxxxxxxxx:
> >>
>
> >> > It was just a wild guess!
> >> >
> >> > --
> >> > John Oliver, Jr
> >> > MCSE, MCT, CCNA
> >> > Exchange MVP 2008
> >> > Microsoft Certified Partner
> >> >
> >> > "Martin Blackstone [MVP]" <martinb@xxxxxxxxxxxxx> wrote in message
> >> > news:O6utXs2IJHA.4600@xxxxxxxxxxxxxxxxxxxxxxx
> >> >
>
> >> > >
> >> > > "Andy David {MVP}" <adavid@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote > >> > > in
> >> > > message news:49g5e4p7ck7fm83b1jr07fm1hmv1pvjuru@xxxxxxxxxx
> >> >
>
> >> > >> On Tue, 30 Sep 2008 16:09:53 -0400, "John Oliver, Jr. [MVP]"
> >> > >> <jcoliverjr@xxxxxxxxxxx> wrote:
> >> > >>
> >> >
>
> >> > >>>Yes, I do not know why one would go back to the default > >> > >>>Exchange
> >> > >>>cert
> >> > >>>from
> >> > >>>3rd party SAN if they have remote users unless they do not have > >> > >>>any
> >> > >>>remote
> >> > >>>users at some point or they decide to use a VPN Client would be > >> > >>>my
> >> > >>>best
> >> > >>>guesses.
> >> > >>
> >> > >>
> >> >
>
> >> > >> Yea, I cant imagine thats a common scenario!
> >> > >
> >> >
>
> >> > > Yea!
> >>
>
> >>
.
- References:
- Re: 3rd party cert vs self signed
- From: Elan Shudnow
- Re: 3rd party cert vs self signed
- From: Elan Shudnow
- Re: 3rd party cert vs self signed
- Prev by Date: Re: 3rd party cert vs self signed
- Next by Date: Re: Settings in boot.ini
- Previous by thread: Re: 3rd party cert vs self signed
- Next by thread: Re: Strange problem - internal email
- Index(es):
Relevant Pages
|
