Intranet Subject Alt Names for Exchange SSL Certificates

So you were using a SHA1 SSL certificate on your Microsoft Exchange server and you get an email letting you know that SHA1 is no longer a secure cryptographic hash. Or perhaps your current SSL certificate is about to expire and you just want to throw a new one in there and call it good. Well to bad! More than likely, you’re like myself and you have intranet subject alt names on your certificate e.g. “MailServ1” for your internal  URL and that is no longer supported.

Why now?

Well, the folks that are in charge of updating the web security standards got together and decided that it was in everyone’s best interest to boost the web’s security. More info can be found on most public certificate authorities websites or here. Overall its a super important job they do and SHA1 is totally broken and sites like http://hashkiller.co.uk have cracked over 131 billion SHA1 hashes.

Well thats good to know, but why can’t i use internal names on my SSL?

First of all, that is a fantastic question! The answer is basically that internal server names aren’t unique, thus man in the middle attacks can work on your exchange server. The attacker could request an SSL from the CA (certificate authority) with the same intranet name.

Great, now I have to figure out what to do!

Whoa now, I got ya covered on that one 😉 with step by step instructions and Exchange Powershell commands.

Step 1. Create a new CSR (Certificate Signing Request) I’m not going to cover this because it is sorta kinda unique to your CA. But here is GoDaddy’s how to here.

Step 2. Change the internal URL to your public FQDN.

You can copy these commands into Notepad++ and replace anything that says “MailServ1” and “YourDomain” to get your FQDN to line up with the commands.

Note* the “Uri” syntax is not a misspelling

Command 1:

Set-ClientAccessServer -Identity MailServ1 -AutodiscoverServiceInternalUri https://MailServ1.YourDomain.com/autodiscover/autodiscover.xml

Command 2: 

Set-WebServicesVirtualDirectory -Identity “MailServ1\EWS (Default Web Site)” -InternalUrl https://MailServ1.YourDomain.com/ews/exchange.asmx

Command 3:

Set-OABVirtualDirectory -Identity “MailServ1\oab (Default Web Site)” -InternalUrl https://MailServ1.YourDomain.com/oab

 

Step 3. Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

Open IIS Manager>Expand the server>Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.

 

Step 4. Install the new SSL Certificate

GoDaddy’s how to is here

That it! you now can rest easy knowing you will not be thanked for keeping your users super important meme emails protected from the bad guys.