Exchange Server SSL Certificate Authority Change
An industry wide change is coming to SSL certificates, which will affect Exchange Server and anything else using intranet names. On October 1, 2016 Certificate Authorities must mandatorily revoke all unexpired certificates with subject alternative names corresponding to internal names. The recommended way of securing Exchange Server with an SSL certificate is coming to an end. In the past, a UCC (SAN) certificate was purchased with a common name pointing to the public DNS address, and subject alternative names pointing to internal fully qualified domain names (usually with a suffix ending in .local or .int) to secure internal users. The good news is you still have until October 31, 2013 to be issued a 2 year certificate with internal subject alternative names. Now that it’s 2016, good luck everyone!
Using Intranet and Reserved IP Addresses as the Primary Domain or Subject Alternative Name in SSLs
Date Submitted: 6-26-2012The Internet security community is phasing out the use of intranet and reserved IP addresses as the Primary Domain Name or the Subject Alternative Name in SSL certificates.
This is an industry-wide decision, not one specific to our company.
An intranet name is any name that is not in the public Internet DNS (e.g.’server1′, ‘mail’, ‘www’, ‘server2.local’, etc.). A reserved IP address is any address designated by the Internet Assigned Numbers Authority (IANA) as being reserved.
To create a safer online environment, members of the Certificate Authorities Browser Forum (CA/Browser Forum) worked to define the guidelines and means of implementation of SSL Certificates. As a result of these meetings, effective on October 1, 2016, Certification Authorities (CAs) must revoke any SSL certificates that use intranet names or reserved IP Addresses.
As a result of this decision, on July 1, 2012, we no longer accept new requests, process rekeys or renewals, or allow any management of Subject Alternative Names for certificates that contain intranet names or reserved IP addresses, and are valid beyond November 1, 2015. If you have an existing certificate that contains an intranet name and/or a reserved IP address, you can continue to use that certificate until it expires or until October 1, 2016, whichever comes first.
To read CA/Browser Forum guidelines, go here.
For more information on which IPv4 addresses are reserved, go here. Some addresses are mentioned only in the footnotes. We do not support any certificates using IPv6.
If you are too lazy like me to read through the entire Baseline Requirements document, here are the manuals to modify Exchange Server 2007 / 2010
Exchange 2007
- Start the Exchange Management Shell.
- Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
- Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
- Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
- Modify the InternalUrl attribute of the UM Web service. To do this, type the following command, and then press ENTER:
Set-UMVirtualDirectory -Identity "CAS_Server_Nameunifiedmessaging (Default Web Site)" -InternalUrl https://mail.contoso.com/unifiedmessaging/service.asmx
Note This command is required only in an Exchange 2007 environment. This command no longer exists in an Exchange 2010 environment. Instead, the WebServices URL is used for this purpose.
- Open IIS Manager.
- Expand the local computer, and then expand Application Pools.
- Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Exchange 2010
- Start the Exchange Management Shell.
- Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command and then press ENTER:
Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
- Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:
Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
- Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:
Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
- Open IIS Manager.
- Expand the local computer, and then expand Application Pools.
- Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.
Click here to see the documentation of Microsoft.
October 8, 2013 9:01 am @ 09:01
Hi Travis,
Thanks for putting this up. I’m pretty sure i know the answer to this question, but just to be completely sure: when going through the keying process for the SSL cert from someone like Godaddy for example, i’m basically just clearing the auto-generated Alt names which come up that have private network/domain info; correct? Thanks again!
April 21, 2016 2:16 pm @ 14:16
Sorry for the reply 3 years too late! I’m sure you have already found the answer by now but you would be purchasing a new certificate, not renewing it.