Exchange 2010 - Certificates

Hi,
If we have the following: -
company.local
company.co.uk

Exchange 2010 SP1 installed at 2 sites with the following roles at each site: -

1.      CAS
2.      HUB
3.      UM
4.      MAILBOX


So, if we request a certificate with the following SAN names

1.      Email01.company.local
2.      Email02.company.local
3.      autodiscover.company.co.uk
4.      mail.company.co.uk
5.      company.co.uk

Will this be sufficient? And will the certificate need to be applied to both CAS servers?

OR

Is it possible to use a Wild card certificate even though we have 2 domain names for internal and external?

company.local
company.co.uk


Many thanks
badabing1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RadweldCommented:
Where is the end point for mail.company.co.uk and autodiscover? there is technically no limit to the number of alternative names you can have on your certificate however you pay extra for each one as usually your allowed 4 entries. If mail.company.co.uk is available internally then you don't even need to specify the . local addresses. you only need autodiscover and the mail.company.co.uk address. Internal certificates can be issues from an internal PKI but this does require auto enrolment to be enabled by group policy to ensure certificates are also pushed to your clients.

the DNS record for Mail.company.co.uk should point to your firewall or reverse proxy which in turn directs traffic on 443 to your CAS server, if you have multiple CAS servers in a site then this would be the CasArray. in a DR scenario where the primary site goes dark, you would update the DNS record to redirect to the second site (could take upto 48 hours though)
0
badabing1Author Commented:
Thanks for your reponse.

Can someone please clarify the following:

 - Is it possible to have company.local and company.co.uk as a wild card name in ONE SSL Certificate
0
RadweldCommented:
No because a wild card is *.domain so this would be either company.co.uk or .local but not both.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

AkhaterCommented:
you cannot have alternate names in a wildcard certificate
 and you do NOT need the server names in your SAN, technically you would need only

autodiscover.company.co.uk
mail.company.co.uk


If you want to be rechable from inside on the .local then you can add mail.domain.local also
0
amnhtechCommented:
We found that the only way it worked properly for us it to get a UC cert and list the following as the Subject Alternate Names.  When we tried to use wildcard certs we kept getting errors when trying to connect via owa through TMG.  

CAS01.companyname.com
CAS02.CompanyName.com
CAS01.internal.companyname.com
CAS02.internal.CompanyName.com
owaaddress.internal.companyname.com
owaaddress.companyname.com
autodiscover.companyname.com
autodiscover.internal.companyname.com
casarray.companyname.com
casarray.internal.companyname.com
TMG01.companyname.com
TMG02.companyname.com


0
badabing1Author Commented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.