Exchange Server and SSL Certificate Changes
There are a lot of changes that is made to the way SSL certificates are issued. Below are the impacts that we will face with the Exchange Servers. Let’s see what has changed
The Certificate companies & the browser developers decided that the certificates issued with an expiry date after 1st November 2015 will be restricted to internet resolvable FQDN’s only. Which means we cannot have the SSL Certificate with the following:
=> Single name hosts ( eg: server, EX02 etc)
=> Internal domains only (e: server.domin.local)
=> Internal IP addresses
(the above applies to both common name & additional names in the certificates)
The most important thing is if you have a certificate that is in use with an invalid name mentioned in the list above, it will be revoked on 1st October 2016. If you have certificate that has internal names that expired on Oct 2016, it is advisable to get it rekeyed, with removing the internal names, else your certificate will be revoked.
Impact on Exchange Server:
Well having said that we no longer can buy SSL certificates with internal/ single host name there is not much impact in the legacy version Exchange 2003. The server that will be facing impact is Exchange 2007, Exchange 2010 & Exchange 2013. When we configure SSL certificates for these version of Exchange we include both internal & external names because the configuration of Exchange 2007 required Exchange server’s real name to be added. This is not a best way to configure web services as the users were entering the same address internally as they were external. So the only way to overcome the SSL certificate changes we have to set up split DNS.
Having said that we can just have two host name in the SSL certificate for client support fully: (host.domain.com, autodiscover.domain.com). When installing the Exchange by default you can have five names, which means you can use the rest of the three for other servers, by getting a single certificate.
Few more changes we need to know:
=> The maximum period a certificate can be issued is reduced to 39 months from April 2015.
=> Microsoft is planning to stop trusting SHA-1 certificates in 2017. You will start noticing warning messages on the browses on SHA-1 based certificates in 2016 itself. It’s highly recommended that we replace all the SHA-1 certificates with SHA-2 based certificates by this year end 2015.
How to check if your certificate is SHA-1 or SHA-2:
=> Open the SSL certificate by browsing the cert in the SSL certificate page or open it from the MMC certificate console.
=> Click on details tab => look for “Signature Hash Algorithm”.
=> You can see if your certificate is SHA-1 or SHA-2.
Ratish Nair
Microsoft MVP | Exchange Server
Team @MSExchangeGuru