dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2921
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

lorennerol

Premium Member

Changes coming for SSL certs- Exchange issue

A cert provider we use is telling us that they cannot issue certs for host names like "Exchange" or "Exchange.domain.local" that are effective past November 2015.

Without some contortion, Outlook clients talk to Exchange using the internal host name, and it complains about a cert mismatch.

Has anyone else run into this or even heard of it?

drew
Radiant
Premium Member
join:2002-07-10
Port Orchard, WA

drew

Premium Member

said by lorennerol:

Has anyone else run into this or even heard of it?

Not until you mentioned this thread and I typed "ssl certificate domain name rules" into Dr. Internet

»exchangeserverpro.com/ss ··· tificate
quote:
The CA/Browser Forum, a collaborative effort between Certificate Authorities (companies like DigiCert that issue certificates) and Web Browsers (companies like Mozilla or Microsoft that manage trust on a CA level), has introduced new Baseline Requirements for certificate issuance.

As part of these new requirements, Certificate Authorities must phase out the issuance of certificates issued to either Internal Server Names or a Reserved IP Address by October 2016. Specifically, CAs cannot issue certificates to these internal names with expiration dates after November 1, 2015…

Essentially, this change in SSL standards will make it impossible to obtain a publicly trusted certificate for any host name that cannot be externally verified as owned by the organization that is requesting the certificate.

exocet_cm
Writing
Premium Member
join:2003-03-23
Brooklyn, NY

exocet_cm to lorennerol

Premium Member

to lorennerol
Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.
AsherN
Premium Member
join:2010-08-23
Thornhill, ON

AsherN to lorennerol

Premium Member

to lorennerol
Split DNS and point Outlook to the public name.

kontos
xyzzy
join:2001-10-04
West Henrietta, NY

kontos to drew

Member

to drew
This makes sense once you consider that rules on Top Level Domains have been relaxed. In the future domain.local could get registered to a company/person that is not you. If they were to issue a distant expiration certificate for that domain to Ira Hacker today, he could wreak havoc in a few years if that name comes into use on the public 'Net.
IamGimli (banned)
join:2004-02-28
Canada

IamGimli (banned) to lorennerol

Member

to lorennerol
Setup your own internal CA for your internal requirements. Pretty simple and a lot less expensive than paying a third party for all your internal certificate needs.
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

ke4pym to exocet_cm

Premium Member

to exocet_cm
said by exocet_cm:

Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.

Sure, doing this or setting up your own internal CA is all fun and games until someone brings in their own device. Then who's the poor soul that has to load the root cert on their device? And keep up with updating it after it expires (short of making it a 100 year cert).
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

lorennerol

Premium Member

said by ke4pym:

said by exocet_cm:

Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.

Sure, doing this or setting up your own internal CA is all fun and games until someone brings in their own device. Then who's the poor soul that has to load the root cert on their device? And keep up with updating it after it expires (short of making it a 100 year cert).

That. Not to mention users who want to sync their home computer to corporate email, something quite common in the SMB segment.

The easy fix would be to not sell the .local tld.

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

DarkLogix to lorennerol

Premium Member

to lorennerol
Well frankly why put a publicly signed cert on an internal host?

IMO do OWA.public-domain.com, and internal-server-name.domain.local

use a public cert on the public address and a internally signed cert on the internal address

then sort out the rest of the details
DarkLogix

DarkLogix to lorennerol

Premium Member

to lorennerol
said by lorennerol:

said by ke4pym:

said by exocet_cm:

Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.

Sure, doing this or setting up your own internal CA is all fun and games until someone brings in their own device. Then who's the poor soul that has to load the root cert on their device? And keep up with updating it after it expires (short of making it a 100 year cert).

That. Not to mention users who want to sync their home computer to corporate email, something quite common in the SMB segment.

The easy fix would be to not sell the .local tld.

Use outlook anywhere and never let that computer be on the internal network.

And ya the .local should be reserved indefinitely just like the 10.x.x.x/8 range

What we have is any public facing address gets a cert from a real CA and all internal ones get one from the internal CA.

Also with an internal CA you can set the lifetime to something very long so the CA's cert won't expire for a very long time, as well as make a self applying exe for the CA certs.
IamGimli (banned)
join:2004-02-28
Canada

IamGimli (banned) to ke4pym

Member

to ke4pym
said by ke4pym:

said by exocet_cm:

Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.

Sure, doing this or setting up your own internal CA is all fun and games until someone brings in their own device. Then who's the poor soul that has to load the root cert on their device? And keep up with updating it after it expires (short of making it a 100 year cert).

If you let people plug in their own devices to your network you might as well not use certificates at all.
demir
Premium Member
join:2010-07-15
usa

demir to IamGimli

Premium Member

to IamGimli
said by IamGimli:

Setup your own internal CA for your internal requirements. Pretty simple and a lot less expensive than paying a third party for all your internal certificate needs.

This.
lorennerol
Premium Member
join:2003-10-29
Seattle, WA

lorennerol

Premium Member

said by demir:

said by IamGimli:

Setup your own internal CA for your internal requirements. Pretty simple and a lot less expensive than paying a third party for all your internal certificate needs.

This.

Once company with an IT department and 20 sites, yes, this is simpler.

One IT consultant with 50 clients, 50 email servers, etc. This is NOT easier, or more cost effective.
demir
Premium Member
join:2010-07-15
usa

demir

Premium Member

Setting up a CA isn't a big deal, even for a single person, let alone a company. You could do it in 5 minutes and start generating your own certs, whether you are a single person, small, medium or large company.

If you've never gone through the exercise or thought about managing your own certificates, maybe it's a good time to start.

»www.freebsdmadeeasy.com/ ··· nssl.php
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

ke4pym to IamGimli

Premium Member

to IamGimli
said by IamGimli:

said by ke4pym:

said by exocet_cm:

Self-signed SSL certificates FTW. Lame IMO but hey, I don't make the rules.

Sure, doing this or setting up your own internal CA is all fun and games until someone brings in their own device. Then who's the poor soul that has to load the root cert on their device? And keep up with updating it after it expires (short of making it a 100 year cert).

If you let people plug in their own devices to your network you might as well not use certificates at all.

You apparently haven't been keeping up on all the rage in IT these days that is BYOD.

And regardless of who's using your network, you better be encrypting the sensitive data. And while you're at it, you better make sure you're configuring your server's SSL settings correctly.

Using ".local" as a name is a foreign concept to me. Our internal name matches our external name. So, it's no big thing for us to just get a wildcard cert and be done with it (aside from tracking where that cert has been installed).
IamGimli (banned)
join:2004-02-28
Canada

IamGimli (banned)

Member

said by ke4pym:

You apparently haven't been keeping up on all the rage in IT these days that is BYOD.

...and you apparently haven't been keeping up with the security risks that represents, which are much greater than unencrypted email on a closed network.

You do realize that all those emails are going out to the destination on the Internet unencrypted, right?
ke4pym
Premium Member
join:2004-07-24
Charlotte, NC

ke4pym

Premium Member

said by IamGimli:

said by ke4pym:

You apparently haven't been keeping up on all the rage in IT these days that is BYOD.

...and you apparently haven't been keeping up with the security risks that represents, which are much greater than unencrypted email on a closed network.

You do realize that all those emails are going out to the destination on the Internet unencrypted, right?

Being that I work for a healthcare facility, I am *KEEEEEEENLY* aware of the security risks. However, this isn't something that's my call. BYOD and the consumerization of IT is an industry thing that is impacting all IT departments now, and one my employer is embracing.

There are plenty of technologies out there (some of which we deploy) that will mitigate most, if not all of the risks of a BYOD on a corporate network. Personal responsibility and liability set by laws/rules such as HIPAA are also pretty good deterrents that help fill in the gaps.

As for "all those emails" - they're not necessarily going out to the internet unencrypted. We have a system that intercepts emails and if it finds certain information, it will divert that email from an unencrypted state to our protected email system which uses SSL. It also isn't shy about grabbing to many emails rather than not enough.

DarkLogix
Texan and Proud
Premium Member
join:2008-10-23
Baytown, TX

DarkLogix

Premium Member

You could also add in some of the e-mail security that yahoo, ebay, and good have.

I don't remember the name of the tech but it basically stores a public key in DNS and uses a private key to sign all outgoing e-mail.

then any e-mail claimed to be from the given domain (ie google, yahoo, or ebay) can be verified by checking with the key in the DNS record.

Combine that with SRP and you can be sure that no one will be able to spoof you.