Invalid Fully Qualified Domain Names no longer accepted in Subject Alternative Names (SANS) in SSL certficates

After a recent legislation change, CA’s will no longer accept invalid fully qualified Domain name such as .local, servername.local as Subject Alternative Names for SSL’s expiring after 1 November 2015. If you already have got such an SSL certificate it will be revoked post this date.
I noticed this when renewing a 5 yr SSL certificate with Go-Daddy will give an error when you have Subject Alternative Names like .local, servername, servername.local.

As we all know if you use Exchange 2007/ 2010, you probably use an internal server name and an external name on your exchange service URLS like autodiscover. If you dont add this in your SAN you get the dreaded certificate mismatch error in Outlook.

“The name of the security certificate is invalid or does not match the name of the site”

Work Around:

To get around this issue, one can simply change the internal URLs to the external ones. For example you have internal name of servername.local, this will need to be changed to mail.contoso.com in the URLS, once this is done you will need to create a DNS zone for contoso.com on your internal DNS and create a host record for mail to point to the exchange servers internal IP address so that internal autodiscovery will work when you do the change.
The following will need to be done for Exchange 2007 via PS:

  1. Start the Exchange Management Shell.
  2. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER:
    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
    https://mail.contoso.com/autodiscover/autodiscover.xml
  3. Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
    Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)”
    -InternalUrl https://mail.contoso.com/ews/exchange.asmx
  4. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
    Set-OABVirtualDirectory -Identity “CAS_Server_name\oab (Default Web Site)”
    -InternalUrl https://mail.contoso.com/oab
  5. Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
    Set-UMVirtualDirectory -Identity “CAS_Server_Nameunifiedmessaging (Default Web Site)”
    -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx

    Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
  6. Open IIS Manager.
  7. Expand the local computer, and then expand Application Pools.
  8. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

 

The same for Exchange 2010

  1. Start the Exchange Management Shell.
  2. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER:
    Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri
    https://mail.contoso.com/autodiscover/autodiscover.xml
  3. Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
    Set-WebServicesVirtualDirectory -Identity “CAS_Server_Name\EWS (Default Web Site)”
    -InternalUrl https://mail.contoso.com/ews/exchange.asmx
  4. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
    Set-OABVirtualDirectory -Identity “CAS_Server_name\oab (Default Web Site)”
    -InternalUrl https://mail.contoso.com/oab
  5. Open IIS Manager.
  6. Expand the local computer, and then expand Application Pools.
  7. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Advertisements

Posted on November 1, 2012, in Microsoft, SSL and tagged , , , , , , , . Bookmark the permalink. 16 Comments.

  1. I’ve just come across this little issue myself. I also changed the Internal URL for the activesyncvirtualdirectory to be the same as the external URL.

    Godaddy didn’t revoke our certificate, but it wouldn’t let me renew it with domain.local in.

    All fixed now, thanks!

    Carl
    http://OxfordSBSGuy.com

  2. I am also trying to renew a certificate through Godaddy and came across this issue.

    Being a newbie to all things Exchange, can you give me just a bit more information? The steps you’ve laid out are clear enough to follow, but is there anything else that I’ll need to do first?

    How do I go about creating a new DNS zone? It appears that we have several SANs out there, can I just resort to another? What will this do to our email system?

    As you can see, I’m very nervous about following these steps blindly and not knowing how it may affect us.

    Thank you for sharing your knowledge!

  3. I’m a newbie to Microsoft Exchange and just went through the process of renewing our certificate with godaddy. I fear I went in the wrong order, however. When opening the Exchange Management Shell, I can no longer connect because I’ve already applied the certificate without the .local SANs. How can I make these changes now? Thanks so much for your help. I’m in over my head on this one.

    • sorry for the really late reply, sure you mush have sorted this, just for the benefit for others with the same issue, have you restarted IIS, tried EMC instead of EMS?

      you can create a new CSR from your exchange including the SAN names and rekey it again in godaddy.

  4. Awesome, thanks for the post. BTW I use Startssl.com for certificates, they are free for basic web and $59.99 onetime fee for unlimited ucc certs.

  5. Thanks for posting this Godwin, worked perfectly!

  6. Hello,

    Thank you for posting this. I found similar instructions on a few different websites. One thing I’m trying to dial down is how this will affect Outlook clients internally? I see that internally they are mapped to the client access server’s internal name. Will this all update itself for the many connected Outlook clients automatically or is there something I need to push?

    I’m using Exchange 2010 SP3

    • Just wanted to leave a follow up – It all worked. Thank you for the great instructions.

      • That’s brill, glad this helped you, to answer your previous question, you would have been fine as long as you had the internal dns zones configured for outlook to resolve the fqdns. Sorry about the late reply.

  7. I just ran into this issue. I followed your instructions to remap everything. I recycled the app pool. Still getting the warning… I rebooted the Exchange server… still getting the warning. It’s still picking up the local dns name for my exchange server (server.example.domain) and saying it’s a mismatch with the certificate. Any additional suggestions? Thanks in advance

    • Hi Steve, you mean to say you are still getting the error from the CA from who you are trying to renew your Ssl for exchange, can I confirm you have regenerated the csr without the internal fqdns after following the steps? What version of exchange are you running?

      • I wasn’t getting the error from the CA. Myself and my other end users were getting the mismatch error popup in Outlook, even after I performed the steps listed here (changing the internal URLs to match the external URLs).

        As it turns out, I think this did resolve my issue after all. I got desperate and removed the old self-signed certificate (not knowing what else I could modify), even though I had already assigned all the roles/services to the third-party cert. I never had to get rid of the self-signed cert when I originally deployed the third-party cert a few years back. However, this time it seemed to be what was throwing things off oddly enough (again, even though I already transferred roles/services to the renewed third-party cert).

        Anyhow, thank you for your help! I was happy to have found this site.

  8. Do you have work around steps for Exchange 2003?

  9. Hi, having an issue; “The name of the security certificate is invalid or does not match the name of the site” SERVER02.PLATINUM.local give the error relating to mail.domain.com

    AD is server 2012 which runs dns. vm is server 2008 R2 running exchange 2010. everything is fully patched. AD is SERVER01.PLATINUM.LOCAL – EXCHANGE is SERVER02.PLATINUM.LOCAL. Got a UCC without the .local that includes mail.domain.com and autodiscovery.com.

    I used this tool to adjust the exchange server https://www.digicert.com/internal-domain-name-tool.htm

    and followed this to add pinpoint dns the the ad
    http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-client-access/using-pinpoint-dns-zones-exchange-2010.html

    outlook anywhere and phones are fine. when outlook 2010 is launched internally or via the remote server it gives the error.

    Am I supposed to delete the existing forward that has server02.platinum.local pointing to itself or what else should I be looking at?

    Thanks!

  10. How do you transfer roles/services to the third party cert?

  11. this will need to be changed to mail.contoso.com in the URLS. What URLS? in IIS or Exchange mgmt. console and where are these urls?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: