Symantec IGA

Hi,

installing agentless Exchange with http Basic authentication require these steps:

To enable HTTP Basic authentication, follow these steps:

a.

b. Ensure that Exchange server has its own server certificate with the following settings:

- The certificate is in the local machine's computer account.

- The subject of the certificate is the fully-qualified domain name of the computer. For example, somehost.example.com.

Customer has 30+ servers and do not want 30+ individual server sertificates but use one generic.

IIS Sitemanager is used to define site bindings

Anyone with experience with Site bindings for generic certificate and using subject alternate names

They also have BigIP load balancer

Thanks Ralph

Hi Ralph,

If the internal team is familiar with openssl, they can use this tool to rapidly create a Server Side Cert with multiple SANs.

openssl may be used on both MS Windows OS and UNIX/Linux.

Below is an example that I use to create a Server Cert with multiple SANs, where the SANs may be a FDQN, Hostname, IP address.

See below where I used variables to populate many iterations of a SANSs FQDN.

For your example:

You have two (2) choices.

1)  Create a basic Server side Cert with just the CN=domainname.com    to ensure that it matches ANY host in the domain.    But this may be too wide of a reach and may impact security governance requirements.

2) Use the SANs functionality of openssl, to create as many SANs (150) as you wish to the exact FDQN (even if the domain names are different)

/subjectAltName=DNS.1=$_FQDN01,DNS.2=$_FQDN02,DNS.3=valid.example.com, ........., DNS.150=valid.example.com"

https://tools.ietf.org/html/rfc5280#section-4.2.1.6

I am also enclosing the reference links used to build these scripts.

*** *** ***

###################################################

# Generate SSL KEY and CERTS

###################################################

SSL_HOME=/opt/CA/httpd/conf/ssl

_HOSTNAME=`hostname`

_FQDN=`hostname -f`

_IP=`hostname -i`

_PASSWORD=Password01

mkdir -p $SSL_HOME

echo "# Generate a server key"

openssl genrsa -aes256 -passout pass:$_PASSWORD -out $SSL_HOME/ssl.domain.com.server.key 4096

echo "# Generarate a cert request (csr) using above server key for "

echo "hostname = $_HOSTNAME, fqdn = $_FQDN, ip = $_IP"

openssl req -new -passin pass:$_PASSWORD -key $SSL_HOME/ssl.domain.com.server.key -out $SSL_HOME/ssl.domain.com.server.csr     -subj   "/C=US/ST=ST/L=CITY/O=Corp/OU=Dept/CN=$_HOSTNAME/emailAddress=CHANGE_ME@example.com/subjectAltName=DNS.1=$_FQDN,DNS.2=CHANGE_ME.example.com,DNS.3=valid.example.com,IP.1=$_IP,IP.2=192.168.255.254"

echo ""

echo "# Create self-signed cert (TO BE REPLACED BY VALID PUBLIC CERTS IN PRODUCTION BEFORE GO LIVE)"

openssl x509 -req -days 3650 -passin pass:$_PASSWORD -in $SSL_HOME/ssl.domain.com.server.csr -signkey $SSL_HOME/ssl.domain.com.server.key -out $SSL_HOME/ssl.domain.com.server.crt

echo ""

echo " Create non password proteced server key to allow auto start of Apache w/o Password required"

openssl rsa -passin pass:$_PASSWORD -in $SSL_HOME/ssl.domain.com.server.key  -out $SSL_HOME/ssl.domain.com.server.nopassword.key

echo ""

echo ""

echo "Password protected version"

head -3  $SSL_HOME/ssl.domain.com.server.key

echo ""

echo ""

echo "Open / no password protection  version"

head -3  $SSL_HOME/ssl.domain.com.server.nopassword.key

echo ""

echo ""

echo "# View the self-signed Certificate "

openssl x509 -in $SSL_HOME/ssl.domain.com.server.crt -text -noout

###################################################

Reference: 

# http://www.thegeekstuff.com/2011/03/install-apache2-ssl/

# https://docs.jboss.org/author/display/AS71/Using+mod_jk+with+JBoss+AS7

# https://chrisjean.com/adding-ssl-support-to-apache-on-centos/

Cheers,

Alan Baugher