Is it possible to create an internal SSL certificate with Subject Alternative Names

5

Having just upgraded from Exchange 2003 to Exchange 2010, I'm attempting to create a certificate that can be used both internally and externally (by staff).

Previously with exchange 2003, we didn't need an certificate for internal use, so we simply created an certificate from our internal CA, with the CN of our external hostname for OWA.

With Exchange 2010 though, outlook is using RPC over HTTPS internally too. Unless I'm missing something, it appears as though the internal CA with Windows server doesn't allow the creation of certificates with SANs. The certificate for internal use need to be created by a trusted CA, which the Windows CA is.

But to allow staff's home PCs to connect via RPC over HTTPS, it seems to be impossible to configure Outlook to connect, as it fails with certificate error 0x00000010 (FLAG_CERT_CN_INVALID)

This would be rectified if I could include the external CN as a SAN.

As there is only a small handful of staff wanting to use Outlook anywhere, we'd rather not have to purchase an externally trusted SSL certificate. Is this possible, or do we need to spend some cash to achieve this objective?

iis-7
exchange-2010
ssl-certificate
active-directory
certificate
asked on Server Fault Sep 12, 2011 by Bryan

2 Answers

6

You have to enable SANs on the CA server:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
answered on Server Fault Sep 12, 2011 by Chris S
6

A Windows CA certainly can issue a certificate with a Subject Alternate Name, you just need to make a little tweak on the certificate server.

Run the following commands one after another in cmd.exe (you'll need to elevate on Windows Server 2008 or later).

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

You should probably run through Security best practices for allowing SANs in certificates on TechNet before you do, for some things to be aware of.

answered on Server Fault Sep 12, 2011 by Ben Pilbrow

User contributions licensed under CC BY-SA 3.0