Onwards from November 2014, You May Experience Difficulties When Trying to Connect to Your MS Exchange Server

Many businesses rely on the Microsoft Exchange Server for their internal and external messaging. The Exchange Server is usually designated as “server“ or ”server.local“ within the internal network.

So far, so good.
Or is it?

In order to have a smooth encryption process in place between client (e.g. Outlook) and server, an SSL Certificate is necessary. This SSL Certificate needs to include all of the server names in use (public as well as private) and be issued by a Certified Authority.

And this is where you will find an easily overlooked problem: because of new requirements, the CABforum has obliged the CAs to ban unofficial server names and private IP addresses from SSL Certificates. The deadline for this ban is fast approaching, as stated by CAB forum:

“Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015, with a SAN or Subject Common Name field containing a Reserved IP Address or Internal Server Name.”

Accordingly, a CA may no longer issue a certificate that contains local server names and is valid beyond the 1st November 2015. As a direct result, these certificates (e.g. in use on MS Exchange Servers) may be issued no later than the 31st of October, with a maximum validation period of 12 months.

What does this mean for businesses?

Businesses will have to comply with the new convention on name designation. Microsoft and the CABforum suggest the usage of complete and official server names (e.g. server.example.com), as standard SSL Certificates can still be issued.

Businesses should try to adjust quickly, however there is still – as explained above – the possibility until the end of October 2014, to order new SSL Certificates containing internal server names with a validity period of 12 months. If you require more time for your internal reorganization, you should seriously consider ordering an extension or reissue of your SSL Certificates containing internal server names as soon as possible.

In case of questions regarding these imminent changes, please contact our customer support team at CertCenter by phone, e-mail, or chat.