• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

When will ISA 2006 support SSL Certs with multiple subject alternative names?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> When will ISA 2006 support SSL Certs with multiple subject alternative names? Page: [1]
Login
Message << Older Topic   Newer Topic >>
When will ISA 2006 support SSL Certs with multiple subj... - 13.Apr.2007 12:48:16 PM   
hunglikethor

 

Posts: 112
Joined: 12.Oct.2006
Status: offline
This is a great feature that I learned about in Exchange 2007. The post from msexchange.org forum where I posted a question about SSL certs with multiple subject alternative names is enclosed below.

Can anyone tell me when ISA 2006 will support this? This feature will make creating and using SSL certs for OWA, ActiveSync and RPC/HTTPS MUCH EASIER. As mentioned elswhere most organizations are single Exchange Server outlets (or at least single internal IIS outlets).

If anyone can point me to a person at MS I could consult on this, much appreciated. I am a security consultant who has cusomters (including me) that could make use of this feature!

Best Regards,

Edward Ray
CCIE Security, CISSP, GCIA, GCIH, MCSE+Security, PE


msexchange post:

I would like to create a SSL certificate with multiple subject alternative names with my internal PKI so that I can use ISA Server 2006 to secure OWA and ActiveSync. Importing the root CA to different machines and PDAs is pretty simple, but my ActiveSync fails because the SSL cert issued has a common name associated with the internal domain. This is not a problem with OWA, as teh warning can just be clicked thorugh by users. It is ActiveSync which does not allow this.

I found a knowledge base article, http://support.microsoft.com/kb/931351
which shows a way to do this. By default, a CA that is configured on a Windows Server 2003-based domain controller does not issue certificates that contain the Subject Alternative Name (SAN) extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service. Press ENTER after each command.


certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

I have completed this step on my Windows 2003 enterprise sub CA. I did not on my Windows 2003 standalone root CA, as it only issues one CA every two years to the enterprise Sub CA.


The rest of the article shows how to request the certificate via Web GUI, and also via certreq. Another source shows how to create a request using the "New-ExchangeCertificate" in the Exchange Management Shell. The Exchange Managmeent Shell method would seem to be the better way to go. The Microsoft documentation at http://technet.microsoft.com/en-us/library/aaa995942.aspx is a little sketchy on details IMHO.

Has anyone created a SSL cert with multiple SANs using an internal Windows 2003 enterprise subCA and could provide me with a detailed step-by-step or a web link?

Thanks in advance!


Edward Ray
Post #: 1
RE: When will ISA 2006 support SSL Certs with multiple ... - 13.Apr.2007 1:00:43 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Edward,

can you expand on why you need that feature?

With ISA 2006 I can happily publish Outlook Anywhere, Outlook Web Access and ActiveSync with *one* web listener and therefore *one* cert.

HTH,
Stefaan

(in reply to hunglikethor)
Post #: 2
RE: When will ISA 2006 support SSL Certs with multiple ... - 14.Apr.2007 11:55:18 PM   
hunglikethor

 

Posts: 112
Joined: 12.Oct.2006
Status: offline
The reason I need multiple subject names in my certificate is the the exchange server resides internally, and is not accessible externally.  The PKI is an internal PKI, and certiifcates are assigned with subject names based on the AD domain, which is *.local

Active Sync and RPC/HTTPS will not support a certificate with a subject name that is not the FQDN; OWA via browser will present a warning which the user can click through.

Even though the  public key of the root CA is in the Trusted Root store of the clients and the  PDA,  the subject name MUST match the FQDN.  If the multiple subject alternative name feature is used, then  Active Sync can work.

Alternatives are to purchase a certificate from a trusted third party, which is a waste of money since I already have PKI infrastructure  and can export my public root key to any client I choose.

(in reply to spouseele)
Post #: 3
RE: When will ISA 2006 support SSL Certs with multiple ... - 28.Apr.2007 6:44:27 AM   
mylo

 

Posts: 144
Joined: 26.Mar.2002
Status: offline
Edward,

"The reason I need multiple subject names in my certificate is the exchange server resides internally, and is not accessible externally."

You need to generate a Certificate Signing Request (CSR) using the external name of the resource, not the internal FQDN of the server, e.g. www.external.net

"ActiveSync and RPC/HTTPS will not support a certificate with a subject name that is not the FQDN"

Well, ActiveSync/HTTPS will not support a certificate where the subject name does not match the name used in the original signing request, that's true, but IIS doesn't really care if you're foo.com or boo.com, irrespective of what your AD namespace is. If I generate a CSR on my web server for foo.com and then create a hosts entry on ISA for foo.com, I can now resolve incoming requests thru ISA for foo.com and forward the request to IIS. Of course, I'm assuming web publishing rules have been created and a copy of the SSL cert has been exported out of IIS and imported into ISA.

In short, don't assume you're pinned or bound to using your internal namespace.

Regards,
Mylo

(in reply to hunglikethor)
Post #: 4
RE: When will ISA 2006 support SSL Certs with multiple ... - 29.Apr.2007 5:10:17 AM   
hunglikethor

 

Posts: 112
Joined: 12.Oct.2006
Status: offline
Using your suggestion of an entry in the hosts file on the ISA Server 2006 along with a certificate with multiple subject alternative names I was able to get OWA, Outlook Anywhere and ActiveSync/OMA working on ISA Server 2006/Exchange Server 2007 using a single firewall rule.  After importing the public key of my internal root CA, ActiveSync worked just fine on my Smartphone.

(in reply to mylo)
Post #: 5
RE: When will ISA 2006 support SSL Certs with multiple ... - 30.Apr.2007 8:54:24 AM   
mylo

 

Posts: 144
Joined: 26.Mar.2002
Status: offline
Edward,

Excellent work!

Regards,
Mylo

(in reply to hunglikethor)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Publishing] >> Exchange Publishing >> When will ISA 2006 support SSL Certs with multiple subject alternative names? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts