What I am trying to do is simple and since external certificate authorities will no longer be singing non fully qualified domain names FQDN (*.company.local) after 2015 I assume it is going to be a question that will need to be answered often.
I am using exchange 2010 sp1, I have clients that will be accessing my client access server using outlook for internal on domain connections and OWA & Active Sync for external connections to my exchange environment, again extremely simple and stranded to say the least. Internal, outlook clients will be connecting to servername.company.local and my external clients, OWA & active sync will be connecting to owa.companyname.com.
I have a certificate that is issued to owa.companyname.com with a SAN of autodiscover.companyname.com and NOT to servername.company.local because my certificate authority won’t sing anything but FQDNs, understandably given the new stranded and they can’t auth it really. I created an active directory CA and generated a cert with servername.company.local for exchange. The issue is that when I assign the cert for owa.companyname.com to IIS it uses the same cert for the RPC connections to the outlook clients and there is no way, well from what I can tell at least, to assign a separate cert to each. (I get this is a limitation of IIS understandably) but is there a way to separate out the sites in IIS or something out of the box like that.
Again I know the fix is just go out and get a cert from a CA that will sign non FQDNs but from what I can find they won’t sign a cert for more than two years because anything longer than that would put me in to 2015 therefor they would be breaking the new industry stranded of not signing non FQNDs. I guess yes I could just go out and get a cert now and deal with it in two years but I want to try and deal with it now.