Yeah that doesn't really work properly with Exchange and the like. It will cause Outlook to throw cert warnings on autodiscover and the servers themselves from either inside or outside depending on which you certify.
Yeah that doesn't really work properly with Exchange and the like. It will cause Outlook to throw cert warnings on autodiscover and the servers themselves from either inside or outside depending on which you certify.
GeekDrew
Diamond Member
- Jun 7, 2000
- 9,099
- 19
- 81
Well -- Exchange isn't the best example, because you could either provide your CA's public key to every device that needs to touch it, and solve the problem that way, or add aliases to Exchange, with certificates for those aliases.
Sometimes neither of those methods are available, though - generally for other products.
As I said - there is no good reason to use .local, and plenty of reasons not to use it. Just don't (in the future) and you won't have to worry about it. For those that already have... well... your road ahead could be anything from a smooth interstate to having a bridge out. Good luck.
Interesting. My understanding was that you could still use internal names and IPs in SAN certs.
Last edited:
For those that already have... well... your road ahead could be anything from a smooth interstate to having a bridge out. Good luck.
Is there anything that we know for sure will 100% not work due to lack the lack of support for local domain names in SAN's by public CA's?
I agree it should be avoided, and I threw a temper tantrum before our domain was migrated from a public FQDN to a .local (actually migrated into a .local - going backwards IMO), but I have a hard time believing any hardware and software vendors will not find workarounds for their products, even if the workarounds are ugly and major PITA to implement.
Exchange is one of the more finicky, but Exchange 2010 is also very flexible. We actually ran into this issue in one of the 2010 migrations we did...the customer's previous IT people set their domain up using the .ad TLD, I assume for "Active Directory". Well, .ad is a valid TLD and we were not able to add that name to the SAN cert.
So we just used split DNS and told Exchange to always advertise the same URL for Outlook Anywhere and ActiveSync, whether the user was internal or not, and we ran a split DNS zone.
Worked perfectly, and I'd imagine that split DNS will address most all of the other similar scenarios.
So we just used split DNS and told Exchange to always advertise the same URL for Outlook Anywhere and ActiveSync, whether the user was internal or not, and we ran a split DNS zone.
Worked perfectly, and I'd imagine that split DNS will address most all of the other similar scenarios.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 411
Facebook
Twitter