What’s Changing, Exactly?
The Internet security community is phasing out the use of internal names and IP addresses as Primary Domain Names or the Subject Alternative Names (SANs) in SSL certificates. Any internal names you have configured will need to be adjusted to avoid exposure or interruption of services you wish to secure.
What Is an Internal Name?
In this context, an internal name is anything which can’t be guaranteed to be a unique identifier for a network resource. A mail server on your intranet named
mail.mydomain.com using the instructions below.
How Can I Prepare for This Change?
If you use an internal name or IP address for an SSL certificate hosted on a Microsoft® Exchange Server, you can meet Certificate Authorities Browser Forum guidelines by reconfiguring your server to accept a fully qualified domain name (FQDN). For example, you can change internal name
server.local to FQDN
If you haven’t already done so, to ensure that internal Autodiscover continues to work, you must create an internal DNS zone for your domain name (for example,
autodiscover.coolexample.com) and an MX record that points to your server’s internal IP address.
The code samples below include the following variables:
mail.coolexample.comwith your FQDN
EXCH-01) with the actual name of your server
Re-configuring Microsoft Exchange Server to Use a Fully Qualified Domain Name
- Start the Exchange Management Shell.
- To change the Autodiscover URL, type the following command, and then press Enter:
Set-ClientAccessServer -Identity Your_Server_Name -AutodiscoverServiceInternalUri https://mail.coolexample.com/autodiscover/autodiscover.xml
- To change the InternalUrl attribute of the EWS, type the following command, and then press Enter:
Set-WebServicesVirtualDirectory -Identity "Your_Server_NameEWS (Default Web Site)" -InternalUrl https://mail.coolexample.com/ews/exchange.asmx
- To change the InternalUrl attribute for Web-based Offline Address Book distribution, type the following command, and then press Enter:
Set-OABVirtualDirectory -Identity "Your_Server_Nameoab (Default Web Site)" -InternalUrl https://mail.coolexample.com/oab
- If you use the Unified Message service in Exchange Server 2007: To change the InternalUrl attribute of the UM Web service, type the following command, and then press Enter:
Set-UMVirtualDirectory -Identity “Your_Server_Nameunifiedmessaging (Default Web Site)” -InternalUrl https://mail.coolexample.com/unifiedmessaging/service.asmx
- To recycle the application pools, open IIS Manager.
- Expand the local computer, and then expand Application Pools.
- Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.