Link to home
Start Free TrialLog in
Avatar of BSModlin
BSModlinFlag for United States of America

asked on

Exchange SSL Cert for Outlook Security Alert

I currently have 1 Exchange 2007 server and 50 Outlook 2003 clients.  I will be upgrading the Outlook clients to 2010.  I would like to purchase an SSL cert for the server.  Here is my question:

The exchange server hosts 3 different Accepted Domains... XYZ.COM, ABC.COM, and EFG.LOCAL......

What do I need to do to get rid of the Outlook security Alert within the network when Outlook is launched, along with securing the 2 external domains when accessing OWA?

Do I need to purchase multiple certs? and if so, can more than one cert be installed on the same exchange server and all be active?
Avatar of Joseph Moody
Joseph Moody
Flag of United States of America image

You can actually export the mail certificate and distribute it through group policy. Once it is trusted, you shouldn't get that error.

Can't answer the other two questions though.
Avatar of BSModlin


Can you provide a walk thru to do this via GPO?

For the cost of a commercial 3rd party SSL certificate (under $100), I would consider pursuing that option rather than distributing a self-signed certificate internally. Using self-signed certificates has implications when users log on remotely from other computers -- for one thing, you have to teach them to bypass a warning message in their browser which is there for a very good reason, and this puts users into bad habits.

GoDaddy sell trusted certificates by all major browsers for reasonable prices. You will need to buy one multi-name certificate (a Subject Alternate Name or Unified Communications certificate).

The names you must include depend entirely on how users for each network access your Exchange Server. My initial suggestions would be:

You definitely need the two autodiscover entries for your public .com domains, because users will look for those records when Outlook performs autodiscovery on their email address from non-domain computers.

If your users can log in to OWA either via or, then you definitely need to include those names.

servername is the NetBIOS name of your Exchange Server and servername.EFG.local its internal FQDN. Not strictly required, but MUCH easier to include unless you are confident with DNS, configuring split DNS and adjusting your Exchange virtual directories so as not to reference the internal URL.

If you have the money, go with Matt's suggestion. You will be thankful in the long run (especially if you ever introduce mobile devices).

If that is not an option, I can give you instructions.
But I thought with Multi-names Certs you could only have multiple SUBDOMAIN names within the same domain..... Is that not the case?
Avatar of tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial