Prepare Your Network For Internal Name SSL Certificate Changes
DigiCert Internal Name Tool
To reconfigure your Microsoft Exchange Servers to use domain names instead of internal names, we recommend using the DigiCert® Internal Name Tool.
For detailed Internal Name Tool instructions, visit our blog - Replace Your Certificates for Internal Names - Part II.
In an effort to strengthen security by creating more stringent standards, the CA/Browser Forum (CAB) recently introduced new requirements for certificate issuance.
One of the new changes is the elimination of certificates for internal names. This change makes it impossible to obtain a publicly trusted certificate for any host name that cannot be externally verified as owned by the organization that is requesting the certificate after 2015.
As a result, all Certificate Authorities must phase out the issuance of certificates for internal server names and reserved IP address by October, 2016. In accordance with this new standard, DigiCert no longer issues internal name certificates that expire after November 1, 2015.
DigiCert is Here to Help
Corporate users of Multi-Domain (SAN) Certificates are most affected by this change since they need to reconfigure their network and certificates to reflect this new requirement.
However, our DigiCert Internal Name Tool for Microsoft Exchange provides an easy way for you to reconfigure their Exchange servers to comply with the new CAB requirements, regardless of whether they currently use DigiCert SSL Certificates.
Our goal is to make your transition to these new standards as painless as possible. Benefits of our Internal Name Tool include:
- Minimize potential downtime during reconfiguration
- Save time and money otherwise spent on manual configuration
- Ensure that nothing gets overlooked—including minor settings that you might not even know about
- Works for any Microsoft Exchange environment, even with non-DigiCert SSL Certificates
Using the Internal Name Tool
For more detailed Internal Name Tool instructions, please see our blog - Replace Your Certificates for Internal Names – Part II.
Step 1 - Prerequisites
Prior to running this tool, review the following requirements and complete the following tasks:
- Run this tool on one of the servers with the Exchange Client Access Server role. Your custom Exchange setup may have multiple servers with this role; but this tool only needs to be run on one of them.
- Run this tool as an admin with the Exchange "Organization Management" role. This is required to ensure access to the required commands.
- Install the certificate (and the corresponding private key) that contain the external domain names for all of the Client Access Servers in your environment.
- On each Client Access Server, assign your certificate to be used for the IIS and any other desired roles.
- Set up a DNS record for the external domain you will secure with your certificate. The DNS record should return the private IP address that will be used by clients to access Exchange.
- If you plan on using a Client Access Array, we recommend that you set this up in advance with the domain name you are using when reconfiguring Exchange.
- This tool now supports Exchange 2013.
Step 2 - Download
Click HERE to download the DigiCert® Internal Name Tool.
Step 3 - Run the Program
Run the program on one of your Exchange Client Access Servers. The entire process should only take a few minutes, depending on your network.
Other Tools from DigiCert