Having just upgraded from Exchange 2003 to Exchange 2010, I'm attempting to create a certificate that can be used both internally and externally (by staff).
Previously with exchange 2003, we didn't need an certificate for internal use, so we simply created an certificate from our internal CA, with the CN of our external hostname for OWA.
With Exchange 2010 though, outlook is using RPC over HTTPS internally too. Unless I'm missing something, it appears as though the internal CA with Windows server doesn't allow the creation of certificates with SANs. The certificate for internal use need to be created by a trusted CA, which the Windows CA is.
But to allow staff's home PCs to connect via RPC over HTTPS, it seems to be impossible to configure Outlook to connect, as it fails with certificate error 0x00000010 (FLAG_CERT_CN_INVALID)
This would be rectified if I could include the external CN as a SAN.
As there is only a small handful of staff wanting to use Outlook anywhere, we'd rather not have to purchase an externally trusted SSL certificate. Is this possible, or do we need to spend some cash to achieve this objective?
You have to enable SANs on the CA server:
A Windows CA certainly can issue a certificate with a Subject Alternate Name, you just need to make a little tweak on the certificate server.
Run the following commands one after another in
cmd.exe(you'll need to elevate on Windows Server 2008 or later).You should probably run through Security best practices for allowing SANs in certificates on TechNet before you do, for some things to be aware of.