Windows Vista Tips

Windows Vista Tips > Newsgroups > Windows Server > Windows Small Business Server > UCC/SAN Cert with SBS2008 - names required

Reply
Thread Tools Display Modes

UCC/SAN Cert with SBS2008 - names required

 
 
Cary Shultz
Guest
Posts: n/a

 
      05-04-2010

Good evening!

I am in the process of preparing for a SBS2003 to SBS2008 migration. I have
done several of these so that process is very familiar to me.

My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
SBS2008 (my ex-colleague did the other three).

What names are required for this?

Let's assume the machine is called MYCORP-DC01 and that the internal DNS
Domain Name is mymoney.local and that the external DNS Domain Name is
mymoney.com. For "normal" EXCH2007 I would do the following:

mail.mymoney.com
autodiscover.mymoney.com
mycorp-dc01
mcorp-dc01.mymoney.local

I might even throw in mymoney.com (not required, but I might do it).

I know that SBS2008 is a different animal and that you need to do the
WIZARDS for everything. Well versed in that. Very much aware that
remote.mymoney.com is going to be the CN of the cert. What other names need
to be on the SSL Cert?

Thanks,

Cary


 
Reply With Quote
 
 
 
 
Cliff Galiher - MVP
Guest
Posts: n/a

 
      05-04-2010
Unless you have a need for a UCC cert, I don't recommend it. It only makes
things more complicated. As you mentioned, sticking to the wizards is a
*good* thing, and the wizards handle non-UCC certs just fine.

http://blogs.technet.com/sbs/archive...-sbs-2008.aspx

Yes, this just links you over to Sean Daniel's blog, and I could've posted
that directly, but I like the idea of getting people in the habit if
searching the Official SBS Blog first, and this is an Official SBS Blog
post.

-Cliff


"Cary Shultz" <> wrote in message
news:uF5$...
> Good evening!
>
> I am in the process of preparing for a SBS2003 to SBS2008 migration. I
> have done several of these so that process is very familiar to me.
>
> My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
> many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
> SBS2008 (my ex-colleague did the other three).
>
> What names are required for this?
>
> Let's assume the machine is called MYCORP-DC01 and that the internal DNS
> Domain Name is mymoney.local and that the external DNS Domain Name is
> mymoney.com. For "normal" EXCH2007 I would do the following:
>
> mail.mymoney.com
> autodiscover.mymoney.com
> mycorp-dc01
> mcorp-dc01.mymoney.local
>
> I might even throw in mymoney.com (not required, but I might do it).
>
> I know that SBS2008 is a different animal and that you need to do the
> WIZARDS for everything. Well versed in that. Very much aware that
> remote.mymoney.com is going to be the CN of the cert. What other names
> need to be on the SSL Cert?
>
> Thanks,
>
> Cary
>

 
Reply With Quote
 
 
 
 
Cary Shultz
Guest
Posts: n/a

 
      05-04-2010
Cliff,

Much appreciated. However, they have 25 sales people throughout Virginia
and West Virginia and Washington DC and the Cert thing would be a *HUGE*
issue for them (2/3 of the sales force is rather 'computer - illiterate').

If we did decide to go with the UCC/SAN Cert what would you suggest? And, I
will look at the Offical SBS Blog....Thanks for that!

Cary


"Cliff Galiher - MVP" <> wrote in message
news:eKTV0%...
> Unless you have a need for a UCC cert, I don't recommend it. It only
> makes things more complicated. As you mentioned, sticking to the wizards
> is a *good* thing, and the wizards handle non-UCC certs just fine.
>
> http://blogs.technet.com/sbs/archive...-sbs-2008.aspx
>
> Yes, this just links you over to Sean Daniel's blog, and I could've posted
> that directly, but I like the idea of getting people in the habit if
> searching the Official SBS Blog first, and this is an Official SBS Blog
> post.
>
> -Cliff
>
>
> "Cary Shultz" <> wrote in message
> news:uF5$...
>> Good evening!
>>
>> I am in the process of preparing for a SBS2003 to SBS2008 migration. I
>> have done several of these so that process is very familiar to me.
>>
>> My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
>> many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
>> SBS2008 (my ex-colleague did the other three).
>>
>> What names are required for this?
>>
>> Let's assume the machine is called MYCORP-DC01 and that the internal DNS
>> Domain Name is mymoney.local and that the external DNS Domain Name is
>> mymoney.com. For "normal" EXCH2007 I would do the following:
>>
>> mail.mymoney.com
>> autodiscover.mymoney.com
>> mycorp-dc01
>> mcorp-dc01.mymoney.local
>>
>> I might even throw in mymoney.com (not required, but I might do it).
>>
>> I know that SBS2008 is a different animal and that you need to do the
>> WIZARDS for everything. Well versed in that. Very much aware that
>> remote.mymoney.com is going to be the CN of the cert. What other names
>> need to be on the SSL Cert?
>>
>> Thanks,
>>
>> Cary
>>



 
Reply With Quote
 
Cliff Galiher - MVP
Guest
Posts: n/a

 
      05-04-2010

Let me rephrase:

Is there a reason you want to use a *UCC* certificate vs a regular 3rd-party
"standard" SSL cert?

A 3rd-party cert will still prevent certificate errors in the browser, does
NOT require manually deploying any package (self-signed cert, etc) on client
machines, and is as secure as a UCC/SAN cert. You should only be
considering a UCC/SAN certificate if you have a valid need for multiple
names attached to the certificate. For most SBS deployments this is *not*
the case.

-Cliff


"Cary Shultz" <> wrote in message
news:OVVdwQ#...
> Cliff,
>
> Much appreciated. However, they have 25 sales people throughout Virginia
> and West Virginia and Washington DC and the Cert thing would be a *HUGE*
> issue for them (2/3 of the sales force is rather 'computer - illiterate').
>
> If we did decide to go with the UCC/SAN Cert what would you suggest? And,
> I will look at the Offical SBS Blog....Thanks for that!
>
> Cary
>
>
> "Cliff Galiher - MVP" <> wrote in message
> news:eKTV0%...
>> Unless you have a need for a UCC cert, I don't recommend it. It only
>> makes things more complicated. As you mentioned, sticking to the wizards
>> is a *good* thing, and the wizards handle non-UCC certs just fine.
>>
>> http://blogs.technet.com/sbs/archive...-sbs-2008.aspx
>>
>> Yes, this just links you over to Sean Daniel's blog, and I could've
>> posted that directly, but I like the idea of getting people in the habit
>> if searching the Official SBS Blog first, and this is an Official SBS
>> Blog post.
>>
>> -Cliff
>>
>>
>> "Cary Shultz" <> wrote in
>> message news:uF5$...
>>> Good evening!
>>>
>>> I am in the process of preparing for a SBS2003 to SBS2008 migration. I
>>> have done several of these so that process is very familiar to me.
>>>
>>> My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
>>> many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
>>> SBS2008 (my ex-colleague did the other three).
>>>
>>> What names are required for this?
>>>
>>> Let's assume the machine is called MYCORP-DC01 and that the internal DNS
>>> Domain Name is mymoney.local and that the external DNS Domain Name is
>>> mymoney.com. For "normal" EXCH2007 I would do the following:
>>>
>>> mail.mymoney.com
>>> autodiscover.mymoney.com
>>> mycorp-dc01
>>> mcorp-dc01.mymoney.local
>>>
>>> I might even throw in mymoney.com (not required, but I might do it).
>>>
>>> I know that SBS2008 is a different animal and that you need to do the
>>> WIZARDS for everything. Well versed in that. Very much aware that
>>> remote.mymoney.com is going to be the CN of the cert. What other names
>>> need to be on the SSL Cert?
>>>
>>> Thanks,
>>>
>>> Cary
>>>

>
>

 
Reply With Quote
 
Cary Shultz
Guest
Posts: n/a

 
      05-05-2010
Cliff,

Understood. In the upcoming case - no, there is little to zero need for a
UCC/SAN Cert. As always, thanks for steering me in the right direction.

Cary

"Cliff Galiher - MVP" <> wrote in message
news:u30PCX%...
> Let me rephrase:
>
> Is there a reason you want to use a *UCC* certificate vs a regular
> 3rd-party "standard" SSL cert?
>
> A 3rd-party cert will still prevent certificate errors in the browser,
> does NOT require manually deploying any package (self-signed cert, etc) on
> client machines, and is as secure as a UCC/SAN cert. You should only be
> considering a UCC/SAN certificate if you have a valid need for multiple
> names attached to the certificate. For most SBS deployments this is *not*
> the case.
>
> -Cliff
>
>
> "Cary Shultz" <> wrote in message
> news:OVVdwQ#...
>> Cliff,
>>
>> Much appreciated. However, they have 25 sales people throughout Virginia
>> and West Virginia and Washington DC and the Cert thing would be a *HUGE*
>> issue for them (2/3 of the sales force is rather 'computer -
>> illiterate').
>>
>> If we did decide to go with the UCC/SAN Cert what would you suggest?
>> And, I will look at the Offical SBS Blog....Thanks for that!
>>
>> Cary
>>
>>
>> "Cliff Galiher - MVP" <> wrote in message
>> news:eKTV0%...
>>> Unless you have a need for a UCC cert, I don't recommend it. It only
>>> makes things more complicated. As you mentioned, sticking to the
>>> wizards is a *good* thing, and the wizards handle non-UCC certs just
>>> fine.
>>>
>>> http://blogs.technet.com/sbs/archive...-sbs-2008.aspx
>>>
>>> Yes, this just links you over to Sean Daniel's blog, and I could've
>>> posted that directly, but I like the idea of getting people in the habit
>>> if searching the Official SBS Blog first, and this is an Official SBS
>>> Blog post.
>>>
>>> -Cliff
>>>
>>>
>>> "Cary Shultz" <> wrote in
>>> message news:uF5$...
>>>> Good evening!
>>>>
>>>> I am in the process of preparing for a SBS2003 to SBS2008 migration. I
>>>> have done several of these so that process is very familiar to me.
>>>>
>>>> My question is regarding the UCC/SAN Cert for EXCH2007. I have
>>>> prepared many UCC/SAN Certs for "normal" Exchange 2007 but have done
>>>> only one for SBS2008 (my ex-colleague did the other three).
>>>>
>>>> What names are required for this?
>>>>
>>>> Let's assume the machine is called MYCORP-DC01 and that the internal
>>>> DNS Domain Name is mymoney.local and that the external DNS Domain Name
>>>> is mymoney.com. For "normal" EXCH2007 I would do the following:
>>>>
>>>> mail.mymoney.com
>>>> autodiscover.mymoney.com
>>>> mycorp-dc01
>>>> mcorp-dc01.mymoney.local
>>>>
>>>> I might even throw in mymoney.com (not required, but I might do it).
>>>>
>>>> I know that SBS2008 is a different animal and that you need to do the
>>>> WIZARDS for everything. Well versed in that. Very much aware that
>>>> remote.mymoney.com is going to be the CN of the cert. What other names
>>>> need to be on the SSL Cert?
>>>>
>>>> Thanks,
>>>>
>>>> Cary
>>>>

>>
>>



 
Reply With Quote
 
Ace Fekay [MVP - Directory Services, MCT]
Guest
Posts: n/a

 
      05-05-2010
On Tue, 4 May 2010 22:33:41 -0400, "Cary Shultz"
<> wrote:

>Cliff,
>
>Understood. In the upcoming case - no, there is little to zero need for a
>UCC/SAN Cert. As always, thanks for steering me in the right direction.
>
>Cary
>


Hi Cary,

I hope all is well!

FWIW, the only reason I can see multi names required is for remote
sales folks using Outlook ANywhere on a non-joined machine, or for
Windows Mobile handhelds. Droids and iPhones allow you to trust a
non-public CA cert, but Windows Mobile is not so forgiving as well as
Outlook.

If this is the case, you may need the additional names. If so, you can
run the wiz to add the single named cert, then use Exchange's shell to
add the other info to IIS, etc, the cert has.

Take a look at my blog on UCC/SAN certs. It was meant for non-SBS, but
you may find it helpful.

Exchange 2007 UC/SAN Certificate & Things to consider Choosing An
Internal AD DNS Domain Name If Using Exchange 2007
http://msmvps.com/blogs/acefekay/arc...rtificate.aspx

Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
 
Reply With Quote
 
Cliff Galiher - MVP
Guest
Posts: n/a

 
      05-05-2010
Just as an FYI, outlook anywhere and activesync work just fine with a
single-name certificate as long as you set up the appropriate SRV record in
DNS for autodiscovery to work. You really don't need to spend the money on
UCC unless you actually are trying to secure multiple resources, which in a
normal SBS install is not the case.

-Cliff


"Ace Fekay [MVP - Directory Services, MCT]" <>
wrote in message news:...
> On Tue, 4 May 2010 22:33:41 -0400, "Cary Shultz"
> <> wrote:
>
>>Cliff,
>>
>>Understood. In the upcoming case - no, there is little to zero need for a
>>UCC/SAN Cert. As always, thanks for steering me in the right direction.
>>
>>Cary
>>

>
> Hi Cary,
>
> I hope all is well!
>
> FWIW, the only reason I can see multi names required is for remote
> sales folks using Outlook ANywhere on a non-joined machine, or for
> Windows Mobile handhelds. Droids and iPhones allow you to trust a
> non-public CA cert, but Windows Mobile is not so forgiving as well as
> Outlook.
>
> If this is the case, you may need the additional names. If so, you can
> run the wiz to add the single named cert, then use Exchange's shell to
> add the other info to IIS, etc, the cert has.
>
> Take a look at my blog on UCC/SAN certs. It was meant for non-SBS, but
> you may find it helpful.
>
> Exchange 2007 UC/SAN Certificate & Things to consider Choosing An
> Internal AD DNS Domain Name If Using Exchange 2007
> http://msmvps.com/blogs/acefekay/arc...rtificate.aspx
>
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.


 
Reply With Quote
 
Ace Fekay [MVP - Directory Services, MCT]
Guest
Posts: n/a

 
      05-06-2010
On Wed, 5 May 2010 10:55:37 -0600, "Cliff Galiher - MVP"
<> wrote:

>Just as an FYI, outlook anywhere and activesync work just fine with a
>single-name certificate as long as you set up the appropriate SRV record in
>DNS for autodiscovery to work. You really don't need to spend the money on
>UCC unless you actually are trying to secure multiple resources, which in a
>normal SBS install is not the case.
>
>-Cliff
>


Very true, which was why I mentioned it wasn't geared for SBS. :-)


Ace
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to use third-party cert after Exch Sp2 update on SBS2008 Mike W. Windows Small Business Server 25 01-17-2010 08:11 PM
Re: SBS2008 to SBS2008 migration Susan Bradley Windows Small Business Server 1 11-13-2009 04:05 AM
Requesting Code signing cert from cert services Kevin Server Security 0 11-04-2005 05:11 PM
Test domain controller needs cert from prod cert serve Paul Bergson Active Directory 0 02-21-2005 06:14 PM
Installing a real SSL cert on SBS 2K3 after using built-in cert AdminKen Windows Small Business Server 1 10-25-2004 09:31 PM