We help IT Professionals succeed at work.

Exchange 2010 certificate confusion:  what names do I need?

reuniontitle
reuniontitle used Ask the Experts™
on
Ok, I'm working on my migration to Exchange 2010.  I'm about to get started, but I am totally confused about certificates.  I'm pretty sure from my research that I need a SAN certificate, but I'm clueless as to what names to put on it.  Here's my setup:

external mail domain:  abc.com

two sites with a cas array in each one.

site a:

casarray:  moarray.abc.com

server1 netbios name:  momx01

server1 fqdn: momx01.abc.local

server2 netbios name:  momx02

server2 fqdn:  momx02.abc.local

 

site b:

casarray:  utarray.abc.com

server1 netbios name:  utmx01

server1 fqdn:  utmx01.abc.local

server2 netbios name:  utmx02

server2 fqdn: utmx02.abc.local

 

I want all external users to connect to the casarray at site a (will nat through firewall) for mail.abc.com, autodiscover.abc.com, legacy.abc.com.  I want all internal users at site a to connect to moarray.abc.com for all resources.  I want all internal users at site b to connect to utarray.abc.com for all resources.

Can this be accomplished?  If so, how many certificates to I need?  Do I need one per server? Do I need one per array?  What names should be included on the certificate?

 

Thanks in advance for your help!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
For our Certificate we have gone through digicert.com.  They have a UC SAN certificate than can be issued to as many servers as you want.  Once you figure out what Entires you need to make, i suggest you use them for the certificate.
as long as site b is not internet facing you can get a cert with the names mail.abc.com,autodiscover.abc.com,legacy.abc.com and be all set

Author

Commented:
so I don't need to put my cas array names or the individual server's fqdn and netbios names on the cert?
you cannot have an external ca generate a certificate for a domain with the root domain name of .local

they cannot verify the ownership of that domain

Commented:
with the Digicert UC san you can put the Netbios, INTERNAL FQDN, and even ip address if you want to.  they can tell it is an internal name and they will approve the cert.  I have it on my cert running exchange 2007 and it works great.