• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 250
  • Last Modified:

Exchange 2010 - Certificates

Hi,
If we have the following: -
company.local
company.co.uk

Exchange 2010 SP1 installed at 2 sites with the following roles at each site: -

1.      CAS
2.      HUB
3.      UM
4.      MAILBOX


So, if we request a certificate with the following SAN names

1.      Email01.company.local
2.      Email02.company.local
3.      autodiscover.company.co.uk
4.      mail.company.co.uk
5.      company.co.uk

Will this be sufficient? And will the certificate need to be applied to both CAS servers?

OR

Is it possible to use a Wild card certificate even though we have 2 domain names for internal and external?

company.local
company.co.uk


Many thanks
0
badabing1
Asked:
badabing1
1 Solution
 
RadweldCommented:
Where is the end point for mail.company.co.uk and autodiscover? there is technically no limit to the number of alternative names you can have on your certificate however you pay extra for each one as usually your allowed 4 entries. If mail.company.co.uk is available internally then you don't even need to specify the . local addresses. you only need autodiscover and the mail.company.co.uk address. Internal certificates can be issues from an internal PKI but this does require auto enrolment to be enabled by group policy to ensure certificates are also pushed to your clients.

the DNS record for Mail.company.co.uk should point to your firewall or reverse proxy which in turn directs traffic on 443 to your CAS server, if you have multiple CAS servers in a site then this would be the CasArray. in a DR scenario where the primary site goes dark, you would update the DNS record to redirect to the second site (could take upto 48 hours though)
0
 
badabing1Author Commented:
Thanks for your reponse.

Can someone please clarify the following:

 - Is it possible to have company.local and company.co.uk as a wild card name in ONE SSL Certificate
0
 
RadweldCommented:
No because a wild card is *.domain so this would be either company.co.uk or .local but not both.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 
AkhaterCommented:
you cannot have alternate names in a wildcard certificate
 and you do NOT need the server names in your SAN, technically you would need only

autodiscover.company.co.uk
mail.company.co.uk


If you want to be rechable from inside on the .local then you can add mail.domain.local also
0
 
amnhtechCommented:
We found that the only way it worked properly for us it to get a UC cert and list the following as the Subject Alternate Names.  When we tried to use wildcard certs we kept getting errors when trying to connect via owa through TMG.  

CAS01.companyname.com
CAS02.CompanyName.com
CAS01.internal.companyname.com
CAS02.internal.CompanyName.com
owaaddress.internal.companyname.com
owaaddress.companyname.com
autodiscover.companyname.com
autodiscover.internal.companyname.com
casarray.companyname.com
casarray.internal.companyname.com
TMG01.companyname.com
TMG02.companyname.com


0
 
badabing1Author Commented:
Thanks
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now