Rename a Microsoft active directory domain to get an Authority SSL certificate
We regularly receive requests for certificates bound to secure internal names, domain names that overlap official domains declared at IANA, TLDs being assigned, non existing TLDs or private IP.
After November 1st 2015 there won't be any existing certificate for internal domain or IP anymore. From now on, we cannot sale 3-years valid certificates for such SANs.
More information
To get around the problem, 2 solutions:
- The simplest one is to install a Microsoft ISA/TMG front end server using a UC certificate without internal names. It will redirect the flow to the internal Exchange server. On the internal Exchange server, install a certificate generated by your autodiscovery PKI. It can be done quickly but you'll have to keep the Microsoft PKI.
- or rename your Directory Windows to get rid of internal names. To do so, use rendom Microsoft tool. See the documentation:
- For Windows 2000: http://support.microsoft.com/kb/292541/fr
- for Windows 2003: http://technet.microsoft.com/fr-fr/windowsserver/bb405948.aspx
- For Windows 2008:
http://www.shariqsheikh.com/blog/index.php/200804/how-to-rename-a-windows-server-2008-domain/ - For Windows 2012/2012r2:
https://technet.microsoft.com/en-us/library/cc781575%28v=ws.10%29.aspx
Warning: it is a complex operation that can have an impact on your business applications. Consult Microsoft before making any modification.
Advice: We advice to use a branch of your official domain as active directory area, for example ad.entreprise.fr or to buy a new dedicated domain.
You CANNOT use domain like .local. Consult this article to know the reasons why as an internal domain.
Definition
Internal Name: A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because it does not end with a Top Level Domain registered in IANA’s Root Zone Database.
External links
- http://blog.lumo.fr/renommer-un-nom-de-domaine-active-directory.html
- http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/ac406f35-1d14-4905-8dff-942b016b46fd/