This is a great feature that I learned about in Exchange 2007. The post from msexchange.org forum where I posted a question about SSL certs with multiple subject alternative names is enclosed below.
Can anyone tell me when ISA 2006 will support this? This feature will make creating and using SSL certs for OWA, ActiveSync and RPC/HTTPS MUCH EASIER. As mentioned elswhere most organizations are single Exchange Server outlets (or at least single internal IIS outlets).
If anyone can point me to a person at MS I could consult on this, much appreciated. I am a security consultant who has cusomters (including me) that could make use of this feature!
Edward Ray CCIE Security, CISSP, GCIA, GCIH, MCSE+Security, PE
I would like to create a SSL certificate with multiple subject alternative names with my internal PKI so that I can use ISA Server 2006 to secure OWA and ActiveSync. Importing the root CA to different machines and PDAs is pretty simple, but my ActiveSync fails because the SSL cert issued has a common name associated with the internal domain. This is not a problem with OWA, as teh warning can just be clicked thorugh by users. It is ActiveSync which does not allow this.
I found a knowledge base article, http://support.microsoft.com/kb/931351 which shows a way to do this. By default, a CA that is configured on a Windows Server 2003-based domain controller does not issue certificates that contain the Subject Alternative Name (SAN) extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 net stop certsvc net start certsvc
I have completed this step on my Windows 2003 enterprise sub CA. I did not on my Windows 2003 standalone root CA, as it only issues one CA every two years to the enterprise Sub CA.
The rest of the article shows how to request the certificate via Web GUI, and also via certreq. Another source shows how to create a request using the "New-ExchangeCertificate" in the Exchange Management Shell. The Exchange Managmeent Shell method would seem to be the better way to go. The Microsoft documentation at http://technet.microsoft.com/en-us/library/aaa995942.aspx is a little sketchy on details IMHO.
Has anyone created a SSL cert with multiple SANs using an internal Windows 2003 enterprise subCA and could provide me with a detailed step-by-step or a web link?
The reason I need multiple subject names in my certificate is the the exchange server resides internally, and is not accessible externally. The PKI is an internal PKI, and certiifcates are assigned with subject names based on the AD domain, which is *.local
Active Sync and RPC/HTTPS will not support a certificate with a subject name that is not the FQDN; OWA via browser will present a warning which the user can click through.
Even though the public key of the root CA is in the Trusted Root store of the clients and the PDA, the subject name MUST match the FQDN. If the multiple subject alternative name feature is used, then Active Sync can work.
Alternatives are to purchase a certificate from a trusted third party, which is a waste of money since I already have PKI infrastructure and can export my public root key to any client I choose.
"The reason I need multiple subject names in my certificate is the exchange server resides internally, and is not accessible externally."
You need to generate a Certificate Signing Request (CSR) using the external name of the resource, not the internal FQDN of the server, e.g. www.external.net
"ActiveSync and RPC/HTTPS will not support a certificate with a subject name that is not the FQDN"
Well, ActiveSync/HTTPS will not support a certificate where the subject name does not match the name used in the original signing request, that's true, but IIS doesn't really care if you're foo.com or boo.com, irrespective of what your AD namespace is. If I generate a CSR on my web server for foo.com and then create a hosts entry on ISA for foo.com, I can now resolve incoming requests thru ISA for foo.com and forward the request to IIS. Of course, I'm assuming web publishing rules have been created and a copy of the SSL cert has been exported out of IIS and imported into ISA.
In short, don't assume you're pinned or bound to using your internal namespace.
Using your suggestion of an entry in the hosts file on the ISA Server 2006 along with a certificate with multiple subject alternative names I was able to get OWA, Outlook Anywhere and ActiveSync/OMA working on ISA Server 2006/Exchange Server 2007 using a single firewall rule. After importing the public key of my internal root CA, ActiveSync worked just fine on my Smartphone.