Active Sync and Certificates

TheMSsForum.com: The Microsoft Software Forum

Hi all,

I've exchange server 2007 (Version: 08.01.0240.006) installed on a single
server. Everything works fine from one year. I have to enable Active Sync
from Exchange to some PDA, I've done it successfully from the LAN but when I
try to do active sync from the internet I get certificate error from the
PDA.
I suppose that the trouble is the certificate used by IIS, this certificate
is issued to ex-js-01 that is the netbios name of my echange server, I think
I need a certificate for my exchange server's external dns name
(https://my-firm.com) How can I do?
Top

Re: Active Sync and Certificates by Christoph

Christoph
Fri Mar 14 06:38:26 CDT 2008

On Fri, 14 Mar 2008 11:54:52 +0100, Andrea Caldarone wrote:

> Hi all,
>
> I've exchange server 2007 (Version: 08.01.0240.006) installed on a single
> server. Everything works fine from one year. I have to enable Active Sync
> from Exchange to some PDA, I've done it successfully from the LAN but when I
> try to do active sync from the internet I get certificate error from the
> PDA.
> I suppose that the trouble is the certificate used by IIS, this certificate
> is issued to ex-js-01 that is the netbios name of my echange server, I think
> I need a certificate for my exchange server's external dns name
> (https://my-firm.com) How can I do?

basically you can read everything about in the article below.
http://technet.microsoft.com/en-us/library/aa998327(EXCHG.80).aspx

you should consider using an official certification authority as some pdas
does not allow to import self signed root certificates (i know a few HTC
devices locked by the provider). also - you should consider using a
certificate with subject alternative names containing the following names:

NetBios of your internal Servername
FQDN of your internal Servername
FQDN of your external Servername
autodiscover.yourdomain.com

BG Christoph
--
If you dont want the milk to get sour...keep it in the cow
Top

Re: Active Sync and Certificates by Andrea

Andrea
Fri Mar 14 09:15:25 CDT 2008

> you should consider using an official certification authority as some pdas
> does not allow to import self signed root certificates (i know a few HTC
> devices locked by the provider). also - you should consider using a
> certificate with subject alternative names containing the following names:
>
> NetBios of your internal Servername
> FQDN of your internal Servername
> FQDN of your external Servername
> autodiscover.yourdomain.com
>
> BG Christoph
> --
> If you dont want the milk to get sour...keep it in the cow

Thank you for the answer. I think that self signed certificate works for me
because all PDA I have to manage are not locked by their provider. I would
be very happy if you can explain me the correct syntax of the cmdshell
New-ExchangeCertificate, look if I'm right:

New-ExchangeCertificate "c=IT, o=My company,
cn=mail.my-externaldomain.com" -DomainName my-externaldomain.com,
my-internaldomain.local, my-server-netbiosname,
autodiscover.my-externaldomain.com

thank you

Top

Re: Active Sync and Certificates by Jamestechman

Jamestechman
Fri Mar 14 09:53:44 CDT 2008

Here is an example syntax.

New-ExchangeCertificate -DomainName e2k7s04.exchangehosting.dk,
autodiscover.exchangehosting.dk, mobile.exchangehosting.dk -
FriendlyName "Exchange Hosting DK SAN Certificate" -GenerateRequest:
$True -Keysize 1024 -path c:\Exchangehosting.txt -privatekeyExportable:
$true -subjectName "c=3Ddk, o=3DHenrik Walther, CN=3DExchangehosting.dk"


Securing an Exchange 2007 Client Access Server using a 3rd party SAN
Certificate
http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-c=
lient-access/securing-exchange-2007-client-access-server-3rd-party-san-certi=
ficate.html



James Chong (MVP)
MCITP | EMA; MCSE | M+, S+,
Security+, Project+, ITIL
msexchangetips.blogspot.com

On Mar 14, 10:15=A0am, "Andrea Caldarone" <andrea.caldar...@poste.it>
wrote:
> > you should consider using an official certification authority as some pd=
as
> > does not allow to import self signed root certificates (i know a few HTC=

> > devices locked by the provider). also - you should consider using a
> > certificate with subject alternative names containing the following name=
s:
>
> > NetBios of your internal Servername
> > FQDN of your internal Servername
> > FQDN of your external Servername
> > autodiscover.yourdomain.com
>
> > BG Christoph
> > --
> > If you dont want the milk to get sour...keep it in the cow
>
> Thank you for the answer. I think that self signed certificate works for m=
e
> because all PDA I have to manage are not locked by their provider. I would=

> be very happy if you can explain me the correct syntax of the cmdshell
> New-ExchangeCertificate, look if I'm right:
>
> New-ExchangeCertificate "c=3DIT, o=3DMy company,
> cn=3Dmail.my-externaldomain.com" -DomainName my-externaldomain.com,
> my-internaldomain.local, my-server-netbiosname,
> autodiscover.my-externaldomain.com
>
> thank you

Top

Re: Active Sync and Certificates by Christoph

Christoph
Fri Mar 14 11:09:36 CDT 2008

On Fri, 14 Mar 2008 07:53:44 -0700 (PDT), Jamestechman wrote:

> Here is an example syntax.
>
> New-ExchangeCertificate -DomainName e2k7s04.exchangehosting.dk,
> autodiscover.exchangehosting.dk, mobile.exchangehosting.dk -
> FriendlyName "Exchange Hosting DK SAN Certificate" -GenerateRequest:
> $True -Keysize 1024 -path c:\Exchangehosting.txt -privatekeyExportable:
> $true -subjectName "c=dk, o=Henrik Walther, CN=Exchangehosting.dk"
>
>
> Securing an Exchange 2007 Client Access Server using a 3rd party SAN
> Certificate
> http://www.msexchange.org/articles_tutorials/exchange-server-2007/mobility-client-access/securing-exchange-2007-client-access-server-3rd-party-san-certificate.html
>

there is nothing more to say about :)

LG Christoph
--
If you dont want the milk to get sour...keep it in the cow
Top