We help IT Professionals succeed at work.

How many SSL certificates rquired for hosting exchange 2010

andrew_transparent
on
Hi,
I'm looking to purchase an 3rd party ssl certificate to install for a hosted exchange environment
I know that 1 will definitely be needed in having users visit the website for OWA (so people will not have to see that nagging web page warning) or provisioning their email clients for RPC/HTTP
for example:  mail.mydomain.com
We're looking to also enable the autodiscover service and will another SSL cert be necessary for autodiscover.mydomain.com?

I understand we will need any client domains to have an autodiscover CNAME pointed to our autodiscover record

We will have users internal and external to the domain accessing email from owa or outlook
Currently have 2 servers:
1 exchange server 2010 on win 2008 r2
1 win 2008 r2 domain controller

I see that Godaddy has a multiple domain UCC available for purchase

If multiple domain SSL cert is necessary, is it ideal to have all the names in one?
- mail.mydomain.com
- autodiscover.mydomain.com
- servername
- servername.mydomain.local

Thanks,
Comment
Watch Question

Awarded 2009
Top Expert 2010

Commented:
You can only install 1 certificate so you will need to add autodiscover and OWA ones for each domain to the same certificate.

Author

Commented:
Would any of the internal domain names, servername be required to be added to the same certificate?
AkhaterSolutions Architect

Commented:
One SAN certificate is enough and the names you have stated are correct

since your active directory domain is different then your internet domain you need to have both the internal domain name and the internet domain name so

- mail.mydomain.com
- autodiscover.mydomain.com
- servername.mydomain.local

Awarded 2009
Top Expert 2010

Commented:
>>Would any of the internal domain names, servername be required to be added to the same certificate?

Yes the internal ones would also be required.  Along with the OWA and Autodiscover URL's for each domain.
for hosting i wouldnt use SAN certs. Take one commecial cert for all thats enough. i think that
makes an professional impression!
Awarded 2009
Top Expert 2010

Commented:
jochen_bu > if the customer will want to utilise the RPC/HTTPS of Exchange 2010 then there is no choice to add an autodiscover record for EVERY domain being hosted, outlook will look for autodiscover.domainname.com where the domainname.com part is the bit after the @ in the email address of the account that has been configured.

if this is not present then Outlook will give a certificate error and also fail to download the GAL associated with that user.

With regards to OWA yes use a single URL but if you have customers PAYING for a service they normally want their own domain name to be used for the connection to OWA, why? because anything else will confuse their own users.
AkhaterSolutions Architect

Commented:
@jochen_bu a SAN certificate is a certificate with multiple names in it,it has nothing to do with the fact of it being commercial or not

Author

Commented:
Thanks for all the info.  What about the client side domain name? If we already purchase a certificate with our domains:
autodiscover.mydomain.com
mail.mydomain.com

I would assume a CNAME record would need to be created for the customer side domain DNS pointed to our domain?
autodiscover.customerdomain.com = autodiscover.mydomain.com

Would this cause any certificate warnings when setting up an outlook client trying to connect RPC/HTTP?

Does the client side's autodiscover record need to be inputted somewhere?
Awarded 2009
Top Expert 2010

Commented:
You will need to ensure autodiscover.customerdomain.com is in the SAN certificate as I mentioned previously.

Author

Commented:
How do we add future customer domains to the SAN certificate if it is already purchased?
Awarded 2009
Top Expert 2010
Commented:
You will need to purchase an SSL certificate with enough domain names for expansion (autodiscover url and possibly the OWA URL?) then you can add SAN names to the certificate and re-issue.

Author

Commented:
Is this how all hosting providers setup their backend for customer domains? end users will be able to then see the complete list of customers that is being provisioned by looking at the certificates subject alternate name in the details.
This may be a problem if some customers have that knowledge to find it...
Awarded 2009
Top Expert 2010

Commented:
No this is not how ALL hosting providers do it.
This is how people that are using Exchange instead of the proper Microsoft Hosting Solution do it.

Myself included in that bracket, and at least one other EE Exchange expert that I know of.  Alternatively you tell your customers to ignore the certificate error.

Author

Commented:
thanks for the help!

Commented:
Demazter
No this is not how ALL hosting providers do it.
This is how people that are using Exchange instead of the proper Microsoft Hosting Solution do it.

What IS the proper Microsoft Hosting Solution if not Exchange server?
demazter,

If I purchase a UCC from GoDaddy will this work in the hosted environment?
Is there a whitepaper on how the MS Hosted Exchange is to be configured with SSL?