Announcement

Collapse
No announcement yet.

Adding a VeriSign certificate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Adding a VeriSign certificate

    Hello just wondering if anyone has a good walk through/article for adding a Verisign certificate to an Existing Exchange 2007 setup.
    We have OWA/ActiveSync running through ISA 2006 to an Exchange 2007 CAS for a few years now and all works well however we dont want the clients to see the certificate error (due to being from an internal CA and not a trusted RCA) so hence the need to go to a verisign certificate. I am a total numpty when it comes to certificates so would like to know the following

    • what type of certificate to get
    • do i need one that uses multiples names (not sure what that means? saw it on the VeriSign site, am guessing its for having internal/external names)
    • how do i add it to the ISA server
    • do i need to put the same certificate on all my internal CAS servers


    cheers,
    Hazey

  • #2
    Re: Adding a VeriSign certificate

    There's loads of articles on this forum and technet on what sort of certificate you need and what names it has to have, can't remember what they are off the top of my head.

    In ISA Server you need to install the certificate to the computer's store and then change the Web Listener used by ISA Server for the OWA rule. You don't need to put the certificate on the CAS server, but it is recommended so you still have SSL internally from the ISA Server to the CAS server. HTTPS to HTTP bridging is possible but I wouldn't recommend it.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Adding a VeriSign certificate

      If you haven't already purchased the certificate, you can get trusted certificates from other sources with the same level of client support for a lot less than Verisign's overpriced underspecified stuff.

      I once saved my client my entire consultancy fee for a multiple server migration by suggesting another provider.

      With regards to the certificate, for a standard Exchange installation the certificate details are on my blog here:
      http://blog.sembee.co.uk/post/Exchan...es-Take-2.aspx

      However ISA complicates matters somewhat, because of how it publishes things. It isn't simply a amterr of using the same certificate internally and externally as I seem to recall that ISA doesn't like that. There are isntructions on isaserver.org on how to deal with it.

      Simon.
      --
      Simon Butler
      Exchange MVP

      Blog: http://blog.sembee.co.uk/
      More Exchange Content: http://exchange.sembee.info/
      Exchange Resources List: http://exbpa.com/
      In the UK? Hire me: http://www.sembee.co.uk/

      Sembee is a registered trademark, used here with permission.

      Comment


      • #4
        Re: Adding a VeriSign certificate

        D'oh, wasn't thinking straight earlier clearly and Sembee's comments have made me realise that. :blush:

        The internal certificate (I.e. the one on the CAS Servers) should be for the internal name of the CAS server, as that is what ISA Server connects to internal when it bridges the request. So you'll need a certificate for CAS.domain.local or whatever your internal name is. I've had a look at our internal certificate (from our own PKI) and it's got the server DNS name, server NETBIOS name, external URL (webmail.domain.co.uk), autodiscover.domain.co.uk and domain.co.uk as the names on it. I didn't set it up, but everything works so I'm assuming that's right. We don't have a seperate CAS Server BTW, it's Exchange 2007 with everything integrated.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: Adding a VeriSign certificate

          thanks to you both, that has given me more than enough info to get started,

          cheers,
          hazey

          Comment

          Working...
          X