andrew_transparent
asked on
How many SSL certificates rquired for hosting exchange 2010
Hi,
I'm looking to purchase an 3rd party ssl certificate to install for a hosted exchange environment
I know that 1 will definitely be needed in having users visit the website for OWA (so people will not have to see that nagging web page warning) or provisioning their email clients for RPC/HTTP
for example: mail.mydomain.com
We're looking to also enable the autodiscover service and will another SSL cert be necessary for autodiscover.mydomain.com?
I understand we will need any client domains to have an autodiscover CNAME pointed to our autodiscover record
We will have users internal and external to the domain accessing email from owa or outlook
Currently have 2 servers:
1 exchange server 2010 on win 2008 r2
1 win 2008 r2 domain controller
I see that Godaddy has a multiple domain UCC available for purchase
If multiple domain SSL cert is necessary, is it ideal to have all the names in one?
- mail.mydomain.com
- autodiscover.mydomain.com
- servername
- servername.mydomain.local
Thanks,
I'm looking to purchase an 3rd party ssl certificate to install for a hosted exchange environment
I know that 1 will definitely be needed in having users visit the website for OWA (so people will not have to see that nagging web page warning) or provisioning their email clients for RPC/HTTP
for example: mail.mydomain.com
We're looking to also enable the autodiscover service and will another SSL cert be necessary for autodiscover.mydomain.com?
I understand we will need any client domains to have an autodiscover CNAME pointed to our autodiscover record
We will have users internal and external to the domain accessing email from owa or outlook
Currently have 2 servers:
1 exchange server 2010 on win 2008 r2
1 win 2008 r2 domain controller
I see that Godaddy has a multiple domain UCC available for purchase
If multiple domain SSL cert is necessary, is it ideal to have all the names in one?
- mail.mydomain.com
- autodiscover.mydomain.com
- servername
- servername.mydomain.local
Thanks,
You can only install 1 certificate so you will need to add autodiscover and OWA ones for each domain to the same certificate.
ASKER
Would any of the internal domain names, servername be required to be added to the same certificate?
One SAN certificate is enough and the names you have stated are correct
since your active directory domain is different then your internet domain you need to have both the internal domain name and the internet domain name so
- mail.mydomain.com
- autodiscover.mydomain.com
- servername.mydomain.local
since your active directory domain is different then your internet domain you need to have both the internal domain name and the internet domain name so
- mail.mydomain.com
- autodiscover.mydomain.com
- servername.mydomain.local
>>Would any of the internal domain names, servername be required to be added to the same certificate?
Yes the internal ones would also be required. Along with the OWA and Autodiscover URL's for each domain.
Yes the internal ones would also be required. Along with the OWA and Autodiscover URL's for each domain.
for hosting i wouldnt use SAN certs. Take one commecial cert for all thats enough. i think that
makes an professional impression!
makes an professional impression!
jochen_bu > if the customer will want to utilise the RPC/HTTPS of Exchange 2010 then there is no choice to add an autodiscover record for EVERY domain being hosted, outlook will look for autodiscover.domainname.co m where the domainname.com part is the bit after the @ in the email address of the account that has been configured.
if this is not present then Outlook will give a certificate error and also fail to download the GAL associated with that user.
With regards to OWA yes use a single URL but if you have customers PAYING for a service they normally want their own domain name to be used for the connection to OWA, why? because anything else will confuse their own users.
if this is not present then Outlook will give a certificate error and also fail to download the GAL associated with that user.
With regards to OWA yes use a single URL but if you have customers PAYING for a service they normally want their own domain name to be used for the connection to OWA, why? because anything else will confuse their own users.
@jochen_bu a SAN certificate is a certificate with multiple names in it,it has nothing to do with the fact of it being commercial or not
ASKER
Thanks for all the info. What about the client side domain name? If we already purchase a certificate with our domains:
autodiscover.mydomain.com
mail.mydomain.com
I would assume a CNAME record would need to be created for the customer side domain DNS pointed to our domain?
autodiscover.customerdomai n.com = autodiscover.mydomain.com
Would this cause any certificate warnings when setting up an outlook client trying to connect RPC/HTTP?
Does the client side's autodiscover record need to be inputted somewhere?
autodiscover.mydomain.com
mail.mydomain.com
I would assume a CNAME record would need to be created for the customer side domain DNS pointed to our domain?
autodiscover.customerdomai
Would this cause any certificate warnings when setting up an outlook client trying to connect RPC/HTTP?
Does the client side's autodiscover record need to be inputted somewhere?
You will need to ensure autodiscover.customerdomai n.com is in the SAN certificate as I mentioned previously.
ASKER
How do we add future customer domains to the SAN certificate if it is already purchased?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Is this how all hosting providers setup their backend for customer domains? end users will be able to then see the complete list of customers that is being provisioned by looking at the certificates subject alternate name in the details.
This may be a problem if some customers have that knowledge to find it...
This may be a problem if some customers have that knowledge to find it...
No this is not how ALL hosting providers do it.
This is how people that are using Exchange instead of the proper Microsoft Hosting Solution do it.
Myself included in that bracket, and at least one other EE Exchange expert that I know of. Alternatively you tell your customers to ignore the certificate error.
This is how people that are using Exchange instead of the proper Microsoft Hosting Solution do it.
Myself included in that bracket, and at least one other EE Exchange expert that I know of. Alternatively you tell your customers to ignore the certificate error.
ASKER
thanks for the help!
Demazter
No this is not how ALL hosting providers do it.
This is how people that are using Exchange instead of the proper Microsoft Hosting Solution do it.
What IS the proper Microsoft Hosting Solution if not Exchange server?
No this is not how ALL hosting providers do it.
This is how people that are using Exchange instead of the proper Microsoft Hosting Solution do it.
What IS the proper Microsoft Hosting Solution if not Exchange server?
demazter,
If I purchase a UCC from GoDaddy will this work in the hosted environment?
Is there a whitepaper on how the MS Hosted Exchange is to be configured with SSL?
If I purchase a UCC from GoDaddy will this work in the hosted environment?
Is there a whitepaper on how the MS Hosted Exchange is to be configured with SSL?