Forum Discussion

K_G's avatar
Level 6
11 years ago

SAN certificate


after new SAN seltificate authory rules;

we couldnt add local names to SAN 

for example; we couldnt add  company.domain.local.   (we can just add

so we will have problem on 443 port in external owa.

what is your ideas for this?


  • updating computer entry  to in sql then adding internal ip of dns alias on host file in evserver solves the problem.


7 Replies

  • Also when the old SAN certificates are expired ,they will be causes problem...

  • Not sure if this is the right forum for this but yes it does affect EV but also all internal web services using external CA. SSL/security forum: And a post about the subject: Googled and found this: Alternatives A possible alternative for this change is by using an additional external name. This can be a sub domain of your main domain (eg or by using a .net domain name (.net = network) like Until now, the amended legislation applies only for domain validated (DV) SAN certificates. Certificates for which the organization has been validated (OV) do not have to deal with this change. Upgrading your DV certificate to an OV certificate is another alternative.
  • Yes this is certifiacte issue but enterprise vault directly affected from this issue. Also enterprise vault has white paper for 10.03 using ssl certificate. this may be update..

  • KG yes come to think of it -  it does have a technote of best practise somewhere regarding Exchange 2013 OMA. 

    Enterprise Vault 10.0.3 and later: Requesting and Applying an SSL Certificate

    Ideas to work around this? here are a few 

    - Well you can use internal certs for your internal server and use a application firewall/proxy/gateway(TMG/f5) to do the link translation to your internal domain.

    i.e. (using ext cert) -> https://evserver.domain.local/enterprisevault (using int cert)

    Obviously internally you will have to ensure the internal certs are automatically enrolled via AD GPOs

    Split Brain DNS - i.e. you create a DNS record for your external domain internally

    i.e. -> private ip and -> private ip

    It's a bit tricky but this will allow your external certs to resolve and work internally.



  • updating computer entry  to in sql then adding internal ip of dns alias on host file in evserver solves the problem.


  • Yes the dns hack/solution is hostfile ..and you might just change the dns alias too... That may break all shortcuts unless that it is a greenfield implementation Once you do that all users links will point to and their systems need a way to resolve to the external name internally you are back to split brain dns.
  • yes, EV may create a new whitepaper for this issue, most of the people will live this problem in future...