Prepare Your Network For Internal Name SSL Certificate Changes
In an effort to strengthen security by creating more stringent standards, the CA/Browser Forum (CAB) recently introduced new requirements for certificate issuance.
One of the new changes is the elimination of certificates for internal names. This change makes it impossible to obtain a publicly trusted certificate for any host name that cannot be externally verified as owned by the organization that is requesting the certificate after 2015.
As a result, all Certificate Authorities must phase out the issuance of certificates for internal server names and reserved IP address by October, 2016. In accordance with this new standard, DigiCert no longer issues internal name certificates that expire after November 1, 2015.
DigiCert is Here to Help
Corporate users of unified communications certificates are most affected by this change since they need to reconfigure their network and certificates to reflect this new requirement.
However, our DigiCert Internal Name Tool for Microsoft Exchange provides an easy way for you to reconfigure their Exchange servers to comply with the new CAB requirements, regardless of whether they currently use DigiCert SSL Certificates.
Our goal is to make your transition to these new standards as painless as possible. Benefits of our Internal Name Tool include:
- Minimize potential downtime during reconfiguration
- Save time and money otherwise spent on manual configuration
- Ensure that nothing gets overlooked—including minor settings that you might not even know about
- Works for any Microsoft Exchange environment, even with non-DigiCert SSL Certificates
Using the Internal Name Tool
Step 1 - Prerequisites
Prior to running this tool, review the following requirements and complete the following tasks:
- Run this tool on one of the servers with the Exchange Client Access Server role. Your custom Exchange setup may have multiple servers with this role; but this tool only needs to be run on one of them.
- Run this tool as an admin with the Exchange "Organization Management" role. This is required to ensure access to the required commands.
- Install the certificate (and the corresponding private key) that contain the external domain names for all of the Client Access Servers in your environment.
- On each Client Access Server, assign your certificate to be used for the IIS and any other desired roles.
- Set up a DNS record for the external domain you will secure with your certificate. The DNS record should return the private IP address that will be used by clients to access Exchange.
- If you plan on using a Client Access Array, we recommend that you set this up in advance with the domain name you are using when reconfiguring Exchange.
- Note that this tool does not currently support Exchange 2013. However this functionality is in progress so check back soon.
Step 2 - Download
Complete the form above. You will then receive an email with the download link.
Step 3 - Run the Program
Run the program on one of your Exchange Client Access Servers. The entire process should only take a few minutes, depending on your network.
Other Tools from DigiCert