Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can I create new self issued certs for different domain names?

Status
Not open for further replies.
EssoOil

EssoOil

Technical User
Jun 7, 2010
20
GB
Hi, I've read some really useful posts on here so I thought I'd register.

My question is... can I create additional certificates to allow domains other than the one specified in my SBS root certificate to access the services (OWA / RWW) on my SBS 2008?

Here's my problem.

When I installed SBS 2008 I entered my company name as xyz-company.com which means my server expects people to access OWA and R
https//:remote.xyz-company.com/OWA
https//:remote.xyz-company.com/remote

The problem is, due to restrictions with my hosting company I cant add an additional 'A record' on my domain to create a subdomain remote.xyz-company.com. I know I can use one of many DNS hosting companies to do this but this means our company website and emails might see some down time and I cant risk that (it's a busy time of year for orders).

To get around this I've used an old domain name we have and changed the only A record I'm allowed to change (the record) to point to my SBS 2008 IP. This works fine.

When I go to https//:xyz-othername.com/OWA my web Outlook login screen appears and I can login and use Outlook no problem. Of course I get the certificate error but OWA doesn't insist that a valid certificate is in place and still works (unlike Remote Web Workplace!!).

And this is where my problem lies. Remote Web Workplace needs a certificate to be installed on the client PC. This would be easy to do, but my SBS 2008 root authority certificate will have a different name from the domain I'll be connecting from.

This is because when I first ran the "Configure Email and Internet Connection Wizard" I entered xyz-company.com as my main domain. Therefore my root authority certificate will have this as the domain name and will expect any remote computer to be accessing it from xyz-company.com.


e.g.

name on SBS self issued root certificate will be remote.xyz-company.com
I'll be connecting from xyz-othername.com


My question (eventually - sorry...)

Can I create a new (or additional) certificate to allow xyz-othername.com to connect to my SBS?

Is it possible to have multiple certificates to allow different URL's to access SBS services?

I fully intend to add an additional A record so the connecting domain matches the one on the SBS root certificate but as I'm in control of the server surely I should be able to specify what domains should be allowed to access it's services?

Any help or advice will be greatly appreciated.
 
Sort by date Sort by votes
Hi EssoOil,

The short answer to your question is yes, you can do this.

When you run the SetUp Internet Address wizard and choose your domain name ("xyz-company.com" in your case - you are using the default prefix "remote") it does a lot of work in the background. One of the silently performed tasks is createing a CSR (Certificate Signing Request), submitting it to the local Root Certificate Authority, getting and installing the automatically issued SSL certificate, and finally enabling it for the SMTP, POP IMAP and IIS services.

This is a single name certificate which contains only "xyz-company.com" in the subject name.

Now, you can manually create a new CSR, which contains multiple Domain Names (this is what you need), then submit it to the local Root CA and again manually install and enable the issued certificate.

The tricky part is, that if you follow the instructions for a standard Exchange 2007 installation, you will asign the certificate to the Default Web Site - that's what Exchange 2007 uses. In SBS 2008 Exchange 2007 uses a different web site. If you make this mistakes one of the web sites (in most cases this is the Web Applications one) will be stopped .

So, t avoid this mistake, once you download the issued certificate, install it in the local computer Store using the MMC Certificates Snap-in, and then use again the SBS 2008 Add certificate Getting Started task. You will see an option - asign an existing certificate. Choose that option and select the multiple Domain Name certificate.



Dean

chat-on-dean.jpg

Online Screencasts and Video-Tutorials
 
Upvote 0 Downvote
Thanks for the reply Dean,

Were you talking about a self issued certificate (free) or a "pay-for" certificate?

I actually found an article on your website ( that sounds like exactly what I'm trying to achieve (but I'm not a subscriber - sorry)

Your website says "when you generate the certificate IIS7 Manager uses the default FQDN of the server. In most cases, the FQDN by which the server is accessed is different from the real name of the server. For example, the server used in the following Screencast is MBR-2k8.netometer.com, and the Web Site which is hosted on it, is accessed as When you generate a Self-Signed Certificate in IIS7 Manager, it is issued to Mbr-2k8.netometer.com. Step2 demonstrates the process of creating a Self-Signed Certificate in IIS7 Manager, and assigning it to your web site.

Last night I created a new domain certificate and entered xyz-othername.com as the common name. When I looked at the certificate store this new certificate was there and had the new common name xyz-othername.com (the original certificate had the name xyz-company.com). I thought great. I used the MMC to load the certificate snap-in and exported the new certificate and imported it into my Windows XP PC. This all went well. However when I went to and tried to access Remote Web Workplace I got the same message "To connect to Remote Web Workplace you must install the proper certificate". The certificate for xyz-othername.com was installed but obviously I've dome something wrong.

When I clicked on the error the certificate details were as follows:-
Issued to: remote.xyz-company.com
Issued by: xyz-company-servername-CA

I thought that this new certificate for xyz-othername.com was a "leaf" certificate signed by my master root certificate so it would work?

Is there a way I can change the issued common name in the root certificate without affecting emails and other settings? If I re-ran the "Setup your internet address wizard" and entered xyz-othername.com would this create a new certificate with the correct name? But would it also change all my emails addresses and other details too?

Your article says use SelfSSL.exe but when I ran this it asked if I wanted to over write website #1 but I panicked a bit so didn’t proceed.

All my emails for xyz-company.com work fine as does everything else. I'm obviously reluctant to change anything that will give everything on my SBS a new domain name.

I just want a new self-signed certificate that allows me to connect to xyz-company.com from the URL xyz-othername.com.

I thought I knew about PC's and servers until I got involved with certificates!!!

Your advice is appreciated.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
261
gbaughma
gbaughma
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
406
goombawaho
goombawaho
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
253
microsGuy16
microsGuy16
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
148
ADB100
ADB100
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
233
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top