Exchange 2007 Certificate Generation.

Question

Hi All,&nbsp;
&nbsp;This is probably a very simple question, but after readying through the Exchange 2007 Deployment guide i can't seem to find a section that covers it off for myself, they glance over the actual creation of certs mentioning it should already be purchased. (My F5 knowledge is limited)&nbsp;
&nbsp;Basically in our current set up we are simply using the exchange self signed cert.&nbsp;
&nbsp;We want to go about configuring Exchange 2007 through our BigIP which includes Outlook Anywhere, OWA, Autodiscover and possibly Activesync using SSL offloading.
&nbsp;To do this we're going to purchase a certificatethrough Verisign for this purpose to ensure it supported by mobile devices with minimal fuss.&nbsp;
&nbsp;The question I need cleared up is around the initial generation of the certificate request to ensure we set it up correctly.&nbsp;
&nbsp;My understanding is we would generate the request for the cert from Exchange with our various required url's. eg, mail.domain.com.au, autodiscover.domain.com.au etc and our two CAS servers CAS1.local, CAS2.local etc Verisign would then generate the cert from our request and supply it to us.&nbsp;
&nbsp;We would then use the cert while following the deployment guide "Deploying F5 with Microsoft Exchange Server 2007"&nbsp;
&nbsp;The confusion is around whether the BIGIP needs to be included in the certificate generation process at all, or it is all done on our Exchange with no reference to the F5 and them simply uploaded.&nbsp;
&nbsp;Any help about the "best" configuration would be fantastic, since we have a chance to set it up right from the beginning.&nbsp;
&nbsp;Cheers,
&nbsp;Adam&nbsp;&nbsp;

hooleylist · Answer

Hi Adam, 
&nbsp;  
&nbsp; I don't think you can get a CA signed cert for internal domains like .local.  Or have I misread what you were stating? 
&nbsp;  
&nbsp; If you have multiple subdomains on the same domain, you could either get a UCC cert which is valid for each explicit subdomain, or get a wildcard cert that's valid for all subdomains like *.domain.com.au. 
&nbsp;  
&nbsp; If you want LTM to do SSL offloading for you, you'd want to request the cert in PEM format.  Or in 10.2 you can upload a PKCS cert as well.  Or lastly, you could take any format and convert it using openssl on LTM. 
&nbsp;  
&nbsp; Also, these days, most major CA certs are recognized by most devices assuming you configure the correct intermediate CA cert.  Verisign seems to charge an arm and a leg just because they can.  Most CA's will give you a demo cert that you can use to test chaining for specific clients. 
&nbsp;  
&nbsp; Aaron

max_west_64748 · Answer

Thanks for the reply Aaron. 
&nbsp;  
&nbsp; A bit of background might help out as well. Feel free to tell me if I'm going about this the wrong way completely! 
&nbsp;  
&nbsp; Our internal domain is "domain1.com.au" which unfortunately we don't own (someone else does, something legacy that's been inherited), i believe this means we have to get a Domain Authorisation Letter to have anything "domain1.com.au" on the cert which i don't think will happen. 
&nbsp;  
&nbsp; Instead I am using split DNS (which I've set up specifically for this purpose) to resolve our external domain (domain2.com.au) internally for the addresses we'll need for exchange e.g. owa.domain2.com.au, autodiscover.domain2.com.au and mail.domain2.com.au 
&nbsp;  
&nbsp; Does that sound reasonable? 
&nbsp;  
&nbsp; I'd then go and generate the cert request from one of my CA Servers with something along the lines of this: 
&nbsp;  
&nbsp; New-ExchangeCertificate -GenerateRequest -Path c:\filepath.csr -DomainName cas1 cas2 mail.domain2.com.au, autodiscover.domain2.com.au, owa.domain2.com.au -FriendlyName "Exchange Hosting SAN Certificate" -GenerateRequest:$True -Keysize 1024 -path c:\Exchangehosting.txt -privatekeyExportable:$true -subjectName "c=au, o="company", CN=domain2.com.au" 
&nbsp;  
&nbsp; I've included both CA Servers, Is that's correct? 
&nbsp;  
&nbsp; I'd then submit the CSR to Verisign (i know they're overpriced, company policy preferred CA) 
&nbsp;  
&nbsp; When i get the cert back, I import it into our BIG IP as per the deployment guide, and go about configuring exchange to work without doing the SSL compoment? 
&nbsp;  
&nbsp; I realise this has been long, thanks again for your help. 
&nbsp;  
&nbsp; Cheers, 
&nbsp; Adam 
&nbsp;  &nbsp;

hooleylist · Answer

Hi Adam, 
&nbsp;  
&nbsp; That looks about right, but I don't think a public CA will sign a cert without fully qualified domain names (ie, I don't think you'll be able to use cas1 cas2). 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Exchange 2007 Certificate Generation.

3 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

F5 Distributed Cloud - Automatic TLS Certificate Generation - Non-Delegated DNS Zone

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

Securing Generative AI: Defending the Future of Innovation and Creativity

Re: Management Certificate

Automate Let's Encrypt Certificates on BIG-IP