Recently, I noticed that the Certificate Authorities like GoDaddy are issuing a warning when you purchase a Certificate with Internal Sever name (example: domain.local). The use of internal domain names has been discontinued by Certification Authorities and Browsers (CAB). If you intend to issue a certificate with .local or any internal domain name, then your certificate will expire by November 2015. After November 2015, you’ll loose the ability to purchase an SSL Certificate if you include a .local domain or any other internal domain in it. If you already have one, and you have not done anything about it till Nov 2015, it will expire.

You must have a question in your mind, why not purchase the certificate without the internal domain (.local) and use it. Yes, you can use it, however if your Internal domain is .local, then your users will continuously get Certificate warning on Outlook when launched and while using it.

Certificate Warning

What does it mean for you?

Since Active Directory was introduced by Microsoft, most of the users have promoted their internal domain separate from an external domain. Exchange Servers were configured with the internal domain names as well. Outlook always contacted the Exchange Server via its .local domain name. Now, if you also have a similar environment, you must be thinking about how you can avoid this from happening, and also issue a proper certificate for your Exchange Organization.

How do you fix it – Redirect your Exchange Server to use External URL

You’ll need to run the following commands on your Exchange 2007 or Exchange 2010 Management Shell. These commands will update the URL for three services: Autodiscover, EWS, OAB. You also need to make sure that all the DNS records are in place before you do so. Modify the domain name as per your external domain. Also, note that each command is a single line command.

Set-ClientAccessServer -Identity HOSTNAME -AutodiscoverServiceInternalUri https://mail.yourexternaldomain.com/autodiscover/autodiscover.xml

 

Set-WebServicesVirtualDirectory -Identity “HOSTNAME\EWS (Default Web Site)” -InternalUrl https://mail.yourexternaldomain.com/ews/exchange.asmx

 

Set-OABVirtualDirectory -Identity “HOSTNAME\oab (Default Web Site)” -InternalUrl https://mail.yourexternaldomain.com/oab

Although it’s not necessary to run the commands mentioned blow, however, the exchange is still using the .local URL in some of the background services. So, it’s good to update them as well.

Set-ActiveSyncVirtualDirectory -Identity “HOSTNAME\Microsoft-Server-ActiveSync (Default Web Site)” -InternalUrl https://mail.YourExternalDomain.com/Microsoft-Server-ActiveSync

Set-OWAVirtualDirectory -Identity “HOSTNAME\owa (Default Web Site)” -InternalUrl https://mail.YourExternalDomain.com/owa

Set-ECPVirtualDirectory -Identity “HOSTNAME\ecp (Default Web Site)” -InternalUrl https://mail.YourExternalDomain.com/ecp

Set-OutlookAnywhere -Identity “HOSTNAME\Rpc (Default Web Site)” -InternalHostname mail.YourExternalDomain.com -InternalClientsRequireSsl $true (Please note that this step only applies post Exchange 2013)

Please note that Set-OutlookAnywhere is only required if you have configured Outlook Anywhere services in your Exchange Environment.

Reset your IIS

  • Open Command Prompt
  • Type iisreset and hit enter
  • Wait for the process to complete.

Does your Certificate now prompt for an invalid name in it, and still pointing to an internal domain name.

  • Create a new Outlook profile.

What’s changed now:

Your Outlook is no longer contacting your Exchange using .local URL.

Resolution:

You have successfully redirected Exchange to use External URL and saved yourself from a lot of trouble. Further, you can now buy SSL Certificate without .Local in it. The validity of the certificate will be 1 year at least.

Still Need Support:

Pledge Technologies (parent company of Grishbi) offers paid technical support if you have an issue. We also provide FREE SSL Certificate Installation Assistance if it’s purchased from us. Click here to Buy SSL Certificates, Domain, Web Hosting or related products.

The following two tabs change content below.
Passionate for Latest Gadgets, a Computer geek by Hobby, and luckily Profession too. Started my career in 2005 with IBM, worked with Microsoft later. Back in 2009, started Pledge Technologies (www.pledgetechnologies.com) (parent company to Grishbi). We, at Pledge Technologies, provide IT Consulting to SMBs across US & UK. Specialized in Microsoft Technologies like AD, Exchange, etc., and lot of experience of Office 365 Migration for various clients. Grishbi is a platform where we express what we learned today, and share it with world.
%d bloggers like this: