For Exchange this is going to increase the requirement for split DNS within organisations to ensure customers can use the same address for both the Internal and External URLs. However there are examples which I can see as being a problem moving forward.
When setting up a Remote Desktop Gateway server (for RDP over HTTPS) you need two public certificates, or one certificate with multiple subject alternative names. One public certificate will terminate the SSL endpoint of the RD Gateway server such as "rdpgateway.example.com" and is enabled within Internet Information Services. The second certificate requires the internal name of the Remote Desktop Session Hosts or Terminal Servers to ensure the RDP traffic is digitally signed such as "terminalserver01.domain.local". This server certificate needs to be installed on the terminal server(s) themselves with the name matching the internal FQDN of the server(s). Most companies do not install digital certificates to sign RDP traffic, instead they leave the default self-signed certificate on the servers (which does not show up in the local MMC certificates store). This is why you always see the following warning when initiating remote desktop to a server:
Now we could use an internal certificate authority to issue the certificates for our RD Session Hosts, however this would require that all computers who access the RD Farm to be on the Active Directory domain to ensure they trust the internal certificate authority. What about if there are users who are connecting in from machines that are not a member of the Active Directory domain? One of my clients develops an application and sells the application by presenting it to clients as a RemoteApp meaning computers all over the world are launching this application. Without having a public certificate containing internal names, my customers would receive warnings relating to the RDP traffic being untrusted.
I spoke to a representative from DigiCert about this today, and I ran this example past him. The advise he presented to me was to rename the Active Directory forest to "local.example.com" to ensure the domain ended with a dot com. I do not see this as practical especially for large Active Directory domains which consist of thousands of users.
I wonder what other headaches these changes to the certificate standard will present for IT professionals around the world.
Please feel free to leave your comments on the matter.