SSL and Exchange 2010 best practices

I am installing exch 2010 into my already existing exch 2003 and 2007 infrastructure. I will have all 3 versions of exchange running concurrently till I eventually migrate to just 2010.
Im looking at some of the recommendations for SSL and certificate designs. I’m guessing the best method for use with services like:
•      Outlook Web App
•      Exchange Control Panel
•      Exchange Web Services
•      Exchange ActiveSync
•      Outlook Anywhere
•      Autodiscover
•      Outlook Address Book distribution
Is to use a Commercial CA. I see where in my scenario Microsoft recommends a certificate for Legacy.contoso.com, my existing name space : mail.contoso.com and autodiscover.contosco.com. Can I use a wildcard cert for this? Is it recommended or not?
Also, what kind of certs should I use for my exchange connectors? Self-signed, PKI or commercial?

Any ideas or advice is appreciated!
KratosDefenseAsked:
Who is Participating?
 
Justin DurrantConnect With a Mentor Sr. Engineer - Windows Server/VirtualizationCommented:
You need a SAN or UC certificate.  I recommend GoDaddy  or www.domainsforexchange.net

http://blog.sembee.co.uk/archive/2008/05/30/78.aspx

One of the most important aspects of a successful Exchange messaging deployment is how you configure your SSL certificates for securing client communication to your Exchange infrastructure. This is because all communication between Outlook clients and the Autodiscover service  endpoint, in addition to communication between the Outlook client and Exchange services, occurs over an SSL channel. For this communication to occur without failing, you must have a valid SSL certificate installed. For  a certificate to be considered valid, it must meet the following criteria:

- The client can follow the certificate chain up to the trusted root.
- The name matches the URL that the client is trying to communicate with.
- The certificate is current and has not expired.

Remember,  the cert request needs to be generated by Exchange using PowerShell.
 http://technet.microsoft.com/en-us/library/aa998327.aspx

When you get the response back from the CA, use the import-certificate command to process  and enable it for SMTP, IIS, etc.
http://technet.microsoft.com/en-us/library/bb124424.aspx
0
 
AkhaterConnect With a Mentor Commented:
>> Can I use a wildcard cert for this? Is it recommended or not?

yes you can use a wildcard certificate without any problems

>> Also, what kind of certs should I use for my exchange connectors? Self-signed, PKI or commercial?

for your webapp/activesync/outlook anywhere i would recommend a commercial one however an internal PKI would work just fine

for your connectors, if you mean by that your SMTP connectors, just keep the default self-sign there is no need to changed unless you are using smtp over tls
0
 
e_aravindCommented:
Exchange 2007 lessons learned - generating a certificate with a 3rd party CA
http://msexchangeteam.com/archive/2007/02/19/435472.aspx

Exchange 2007 Autodiscover and certificates
http://msexchangeteam.com/archive/2007/04/30/438249.aspx

Certificate Use in Exchange 2007 Server
http://technet.microsoft.com/en-us/library/bb851505(EXCHG.80).aspx
0
 
DEFclubCommented:
agree
0
 
Alan HardistyCo-OwnerCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.