Outlook 2010 and "Subject Alternative Name" - split/renew/replace current certificate


#1

I have a certificate that contains serveral FQDNs:

Certificate:
[…]
Subject: CN=my.domain
[…]
X509v3 Subject Alternative Name:
DNS:mx.my.domain, DNS:my.domain, DNS:imap.my.domain, DNS:mail.my.domain, DNS:pop3.my.domain

My intention was to catch all hostnames that could have been used as mail server name.
Now Outlook 2010 seems to have issues dealing with the x509v3 “Subject Alternative Name” because it shows a “target principal name is incorrect” message. So we made the decision to use a certificate without the SAN feature and CN=mail.my.domain.
Can I simply request a new certifiacte and let the current one expire or should I revoke it? What is “best practice” here?
Lars


#2

There is no need to revoke the old certificate. Simply let it expire ( keep the certificate safe or delete it though )


#3

It would be really good if Microsoft would properly and clearly document the limitations of their software regarding X509 certificates. There are some things their products do very well, and others they really don’t, but mostly my problem is that it’s hard to find out whether a problem is a bug / limitation of their software.

I’ve seen a bunch of Microsoft’s own tutorials on how to create certificates for their systems and this wasn’t even mentioned. Outlook is popular software, even if only older versions are affected it’d be really useful to be able to warn people about this issue when creating new certificates for a mail server.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.