UCC/SAN Cert with SBS2008 - names required

Discussion in 'Windows Small Business Server' started by Cary Shultz, May 5, 2010.

  1. Cary Shultz

    Cary Shultz Guest

    Good evening!

    I am in the process of preparing for a SBS2003 to SBS2008 migration. I have
    done several of these so that process is very familiar to me.

    My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
    many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
    SBS2008 (my ex-colleague did the other three).

    What names are required for this?

    Let's assume the machine is called MYCORP-DC01 and that the internal DNS
    Domain Name is mymoney.local and that the external DNS Domain Name is
    mymoney.com. For "normal" EXCH2007 I would do the following:

    mail.mymoney.com
    autodiscover.mymoney.com
    mycorp-dc01
    mcorp-dc01.mymoney.local

    I might even throw in mymoney.com (not required, but I might do it).

    I know that SBS2008 is a different animal and that you need to do the
    WIZARDS for everything. Well versed in that. Very much aware that
    remote.mymoney.com is going to be the CN of the cert. What other names need
    to be on the SSL Cert?

    Thanks,

    Cary
    Cary Shultz, May 5, 2010
    #1
    1. Advertising

  2. Unless you have a need for a UCC cert, I don't recommend it. It only makes
    things more complicated. As you mentioned, sticking to the wizards is a
    *good* thing, and the wizards handle non-UCC certs just fine.

    http://blogs.technet.com/sbs/archiv...nstall-a-godaddy-certificate-on-sbs-2008.aspx

    Yes, this just links you over to Sean Daniel's blog, and I could've posted
    that directly, but I like the idea of getting people in the habit if
    searching the Official SBS Blog first, and this is an Official SBS Blog
    post.

    -Cliff


    "Cary Shultz" <> wrote in message
    news:uF5$...
    > Good evening!
    >
    > I am in the process of preparing for a SBS2003 to SBS2008 migration. I
    > have done several of these so that process is very familiar to me.
    >
    > My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
    > many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
    > SBS2008 (my ex-colleague did the other three).
    >
    > What names are required for this?
    >
    > Let's assume the machine is called MYCORP-DC01 and that the internal DNS
    > Domain Name is mymoney.local and that the external DNS Domain Name is
    > mymoney.com. For "normal" EXCH2007 I would do the following:
    >
    > mail.mymoney.com
    > autodiscover.mymoney.com
    > mycorp-dc01
    > mcorp-dc01.mymoney.local
    >
    > I might even throw in mymoney.com (not required, but I might do it).
    >
    > I know that SBS2008 is a different animal and that you need to do the
    > WIZARDS for everything. Well versed in that. Very much aware that
    > remote.mymoney.com is going to be the CN of the cert. What other names
    > need to be on the SSL Cert?
    >
    > Thanks,
    >
    > Cary
    >
    Cliff Galiher - MVP, May 5, 2010
    #2
    1. Advertising

  3. Cary Shultz

    Cary Shultz Guest

    Cliff,

    Much appreciated. However, they have 25 sales people throughout Virginia
    and West Virginia and Washington DC and the Cert thing would be a *HUGE*
    issue for them (2/3 of the sales force is rather 'computer - illiterate').

    If we did decide to go with the UCC/SAN Cert what would you suggest? And, I
    will look at the Offical SBS Blog....Thanks for that!

    Cary


    "Cliff Galiher - MVP" <> wrote in message
    news:eKTV0%...
    > Unless you have a need for a UCC cert, I don't recommend it. It only
    > makes things more complicated. As you mentioned, sticking to the wizards
    > is a *good* thing, and the wizards handle non-UCC certs just fine.
    >
    > http://blogs.technet.com/sbs/archiv...nstall-a-godaddy-certificate-on-sbs-2008.aspx
    >
    > Yes, this just links you over to Sean Daniel's blog, and I could've posted
    > that directly, but I like the idea of getting people in the habit if
    > searching the Official SBS Blog first, and this is an Official SBS Blog
    > post.
    >
    > -Cliff
    >
    >
    > "Cary Shultz" <> wrote in message
    > news:uF5$...
    >> Good evening!
    >>
    >> I am in the process of preparing for a SBS2003 to SBS2008 migration. I
    >> have done several of these so that process is very familiar to me.
    >>
    >> My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
    >> many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
    >> SBS2008 (my ex-colleague did the other three).
    >>
    >> What names are required for this?
    >>
    >> Let's assume the machine is called MYCORP-DC01 and that the internal DNS
    >> Domain Name is mymoney.local and that the external DNS Domain Name is
    >> mymoney.com. For "normal" EXCH2007 I would do the following:
    >>
    >> mail.mymoney.com
    >> autodiscover.mymoney.com
    >> mycorp-dc01
    >> mcorp-dc01.mymoney.local
    >>
    >> I might even throw in mymoney.com (not required, but I might do it).
    >>
    >> I know that SBS2008 is a different animal and that you need to do the
    >> WIZARDS for everything. Well versed in that. Very much aware that
    >> remote.mymoney.com is going to be the CN of the cert. What other names
    >> need to be on the SSL Cert?
    >>
    >> Thanks,
    >>
    >> Cary
    >>
    Cary Shultz, May 5, 2010
    #3
  4. Let me rephrase:

    Is there a reason you want to use a *UCC* certificate vs a regular 3rd-party
    "standard" SSL cert?

    A 3rd-party cert will still prevent certificate errors in the browser, does
    NOT require manually deploying any package (self-signed cert, etc) on client
    machines, and is as secure as a UCC/SAN cert. You should only be
    considering a UCC/SAN certificate if you have a valid need for multiple
    names attached to the certificate. For most SBS deployments this is *not*
    the case.

    -Cliff


    "Cary Shultz" <> wrote in message
    news:OVVdwQ#...
    > Cliff,
    >
    > Much appreciated. However, they have 25 sales people throughout Virginia
    > and West Virginia and Washington DC and the Cert thing would be a *HUGE*
    > issue for them (2/3 of the sales force is rather 'computer - illiterate').
    >
    > If we did decide to go with the UCC/SAN Cert what would you suggest? And,
    > I will look at the Offical SBS Blog....Thanks for that!
    >
    > Cary
    >
    >
    > "Cliff Galiher - MVP" <> wrote in message
    > news:eKTV0%...
    >> Unless you have a need for a UCC cert, I don't recommend it. It only
    >> makes things more complicated. As you mentioned, sticking to the wizards
    >> is a *good* thing, and the wizards handle non-UCC certs just fine.
    >>
    >> http://blogs.technet.com/sbs/archiv...nstall-a-godaddy-certificate-on-sbs-2008.aspx
    >>
    >> Yes, this just links you over to Sean Daniel's blog, and I could've
    >> posted that directly, but I like the idea of getting people in the habit
    >> if searching the Official SBS Blog first, and this is an Official SBS
    >> Blog post.
    >>
    >> -Cliff
    >>
    >>
    >> "Cary Shultz" <> wrote in
    >> message news:uF5$...
    >>> Good evening!
    >>>
    >>> I am in the process of preparing for a SBS2003 to SBS2008 migration. I
    >>> have done several of these so that process is very familiar to me.
    >>>
    >>> My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
    >>> many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
    >>> SBS2008 (my ex-colleague did the other three).
    >>>
    >>> What names are required for this?
    >>>
    >>> Let's assume the machine is called MYCORP-DC01 and that the internal DNS
    >>> Domain Name is mymoney.local and that the external DNS Domain Name is
    >>> mymoney.com. For "normal" EXCH2007 I would do the following:
    >>>
    >>> mail.mymoney.com
    >>> autodiscover.mymoney.com
    >>> mycorp-dc01
    >>> mcorp-dc01.mymoney.local
    >>>
    >>> I might even throw in mymoney.com (not required, but I might do it).
    >>>
    >>> I know that SBS2008 is a different animal and that you need to do the
    >>> WIZARDS for everything. Well versed in that. Very much aware that
    >>> remote.mymoney.com is going to be the CN of the cert. What other names
    >>> need to be on the SSL Cert?
    >>>
    >>> Thanks,
    >>>
    >>> Cary
    >>>

    >
    >
    Cliff Galiher - MVP, May 5, 2010
    #4
  5. Cary Shultz

    Cary Shultz Guest

    Cliff,

    Understood. In the upcoming case - no, there is little to zero need for a
    UCC/SAN Cert. As always, thanks for steering me in the right direction.

    Cary

    "Cliff Galiher - MVP" <> wrote in message
    news:u30PCX%...
    > Let me rephrase:
    >
    > Is there a reason you want to use a *UCC* certificate vs a regular
    > 3rd-party "standard" SSL cert?
    >
    > A 3rd-party cert will still prevent certificate errors in the browser,
    > does NOT require manually deploying any package (self-signed cert, etc) on
    > client machines, and is as secure as a UCC/SAN cert. You should only be
    > considering a UCC/SAN certificate if you have a valid need for multiple
    > names attached to the certificate. For most SBS deployments this is *not*
    > the case.
    >
    > -Cliff
    >
    >
    > "Cary Shultz" <> wrote in message
    > news:OVVdwQ#...
    >> Cliff,
    >>
    >> Much appreciated. However, they have 25 sales people throughout Virginia
    >> and West Virginia and Washington DC and the Cert thing would be a *HUGE*
    >> issue for them (2/3 of the sales force is rather 'computer -
    >> illiterate').
    >>
    >> If we did decide to go with the UCC/SAN Cert what would you suggest?
    >> And, I will look at the Offical SBS Blog....Thanks for that!
    >>
    >> Cary
    >>
    >>
    >> "Cliff Galiher - MVP" <> wrote in message
    >> news:eKTV0%...
    >>> Unless you have a need for a UCC cert, I don't recommend it. It only
    >>> makes things more complicated. As you mentioned, sticking to the
    >>> wizards is a *good* thing, and the wizards handle non-UCC certs just
    >>> fine.
    >>>
    >>> http://blogs.technet.com/sbs/archiv...nstall-a-godaddy-certificate-on-sbs-2008.aspx
    >>>
    >>> Yes, this just links you over to Sean Daniel's blog, and I could've
    >>> posted that directly, but I like the idea of getting people in the habit
    >>> if searching the Official SBS Blog first, and this is an Official SBS
    >>> Blog post.
    >>>
    >>> -Cliff
    >>>
    >>>
    >>> "Cary Shultz" <> wrote in
    >>> message news:uF5$...
    >>>> Good evening!
    >>>>
    >>>> I am in the process of preparing for a SBS2003 to SBS2008 migration. I
    >>>> have done several of these so that process is very familiar to me.
    >>>>
    >>>> My question is regarding the UCC/SAN Cert for EXCH2007. I have
    >>>> prepared many UCC/SAN Certs for "normal" Exchange 2007 but have done
    >>>> only one for SBS2008 (my ex-colleague did the other three).
    >>>>
    >>>> What names are required for this?
    >>>>
    >>>> Let's assume the machine is called MYCORP-DC01 and that the internal
    >>>> DNS Domain Name is mymoney.local and that the external DNS Domain Name
    >>>> is mymoney.com. For "normal" EXCH2007 I would do the following:
    >>>>
    >>>> mail.mymoney.com
    >>>> autodiscover.mymoney.com
    >>>> mycorp-dc01
    >>>> mcorp-dc01.mymoney.local
    >>>>
    >>>> I might even throw in mymoney.com (not required, but I might do it).
    >>>>
    >>>> I know that SBS2008 is a different animal and that you need to do the
    >>>> WIZARDS for everything. Well versed in that. Very much aware that
    >>>> remote.mymoney.com is going to be the CN of the cert. What other names
    >>>> need to be on the SSL Cert?
    >>>>
    >>>> Thanks,
    >>>>
    >>>> Cary
    >>>>

    >>
    >>
    Cary Shultz, May 5, 2010
    #5
  6. On Tue, 4 May 2010 22:33:41 -0400, "Cary Shultz"
    <> wrote:

    >Cliff,
    >
    >Understood. In the upcoming case - no, there is little to zero need for a
    >UCC/SAN Cert. As always, thanks for steering me in the right direction.
    >
    >Cary
    >


    Hi Cary,

    I hope all is well!

    FWIW, the only reason I can see multi names required is for remote
    sales folks using Outlook ANywhere on a non-joined machine, or for
    Windows Mobile handhelds. Droids and iPhones allow you to trust a
    non-public CA cert, but Windows Mobile is not so forgiving as well as
    Outlook.

    If this is the case, you may need the additional names. If so, you can
    run the wiz to add the single named cert, then use Exchange's shell to
    add the other info to IIS, etc, the cert has.

    Take a look at my blog on UCC/SAN certs. It was meant for non-SBS, but
    you may find it helpful.

    Exchange 2007 UC/SAN Certificate & Things to consider Choosing An
    Internal AD DNS Domain Name If Using Exchange 2007
    http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx

    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
    Ace Fekay [MVP - Directory Services, MCT], May 5, 2010
    #6
  7. Just as an FYI, outlook anywhere and activesync work just fine with a
    single-name certificate as long as you set up the appropriate SRV record in
    DNS for autodiscovery to work. You really don't need to spend the money on
    UCC unless you actually are trying to secure multiple resources, which in a
    normal SBS install is not the case.

    -Cliff


    "Ace Fekay [MVP - Directory Services, MCT]" <>
    wrote in message news:...
    > On Tue, 4 May 2010 22:33:41 -0400, "Cary Shultz"
    > <> wrote:
    >
    >>Cliff,
    >>
    >>Understood. In the upcoming case - no, there is little to zero need for a
    >>UCC/SAN Cert. As always, thanks for steering me in the right direction.
    >>
    >>Cary
    >>

    >
    > Hi Cary,
    >
    > I hope all is well!
    >
    > FWIW, the only reason I can see multi names required is for remote
    > sales folks using Outlook ANywhere on a non-joined machine, or for
    > Windows Mobile handhelds. Droids and iPhones allow you to trust a
    > non-public CA cert, but Windows Mobile is not so forgiving as well as
    > Outlook.
    >
    > If this is the case, you may need the additional names. If so, you can
    > run the wiz to add the single named cert, then use Exchange's shell to
    > add the other info to IIS, etc, the cert has.
    >
    > Take a look at my blog on UCC/SAN certs. It was meant for non-SBS, but
    > you may find it helpful.
    >
    > Exchange 2007 UC/SAN Certificate & Things to consider Choosing An
    > Internal AD DNS Domain Name If Using Exchange 2007
    > http://msmvps.com/blogs/acefekay/archive/2009/08/23/exchange-2007-uc-san-certificate.aspx
    >
    > Ace
    >
    > This posting is provided "AS-IS" with no warranties or guarantees and
    > confers no rights.
    >
    > Please reply back to the newsgroup or forum for collaboration benefit
    > among responding engineers, and to help others benefit from your
    > resolution.
    >
    > Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    > MCSA 2003/2000, MCSA Messaging 2003
    > Microsoft Certified Trainer
    > Microsoft MVP - Directory Services
    >
    > If you feel this is an urgent issue and require immediate assistance,
    > please contact Microsoft PSS directly. Please check
    > http://support.microsoft.com for regional support phone numbers.
    Cliff Galiher - MVP, May 5, 2010
    #7
  8. On Wed, 5 May 2010 10:55:37 -0600, "Cliff Galiher - MVP"
    <> wrote:

    >Just as an FYI, outlook anywhere and activesync work just fine with a
    >single-name certificate as long as you set up the appropriate SRV record in
    >DNS for autodiscovery to work. You really don't need to spend the money on
    >UCC unless you actually are trying to secure multiple resources, which in a
    >normal SBS install is not the case.
    >
    >-Cliff
    >


    Very true, which was why I mentioned it wasn't geared for SBS. :)


    Ace
    Ace Fekay [MVP - Directory Services, MCT], May 6, 2010
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike
    Replies:
    0
    Views:
    209
  2. AdminKen

    Installing a real SSL cert on SBS 2K3 after using built-in cert

    AdminKen, Oct 25, 2004, in forum: Windows Small Business Server
    Replies:
    1
    Views:
    235
    Wesley Kendall [MSFT]
    Oct 25, 2004
  3. Paul Bergson

    Test domain controller needs cert from prod cert serve

    Paul Bergson, Feb 21, 2005, in forum: Active Directory
    Replies:
    0
    Views:
    224
    Paul Bergson
    Feb 21, 2005
  4. Kevin
    Replies:
    0
    Views:
    183
    Kevin
    Nov 4, 2005
  5. SteveM

    SBS 2003 R2 + UCC Certicifate Woes

    SteveM, Jan 13, 2010, in forum: Windows Small Business Server
    Replies:
    5
    Views:
    295
    SteveM
    Jan 14, 2010
Loading...

Share This Page