Exchange 2010 - Certificates

Posted on 2011-10-03
Last Modified: 2012-05-12
If we have the following: -

Exchange 2010 SP1 installed at 2 sites with the following roles at each site: -

1.      CAS
2.      HUB
3.      UM
4.      MAILBOX

So, if we request a certificate with the following SAN names


Will this be sufficient? And will the certificate need to be applied to both CAS servers?


Is it possible to use a Wild card certificate even though we have 2 domain names for internal and external?


Many thanks
Question by:badabing1
    LVL 14

    Expert Comment

    Where is the end point for and autodiscover? there is technically no limit to the number of alternative names you can have on your certificate however you pay extra for each one as usually your allowed 4 entries. If is available internally then you don't even need to specify the . local addresses. you only need autodiscover and the address. Internal certificates can be issues from an internal PKI but this does require auto enrolment to be enabled by group policy to ensure certificates are also pushed to your clients.

    the DNS record for should point to your firewall or reverse proxy which in turn directs traffic on 443 to your CAS server, if you have multiple CAS servers in a site then this would be the CasArray. in a DR scenario where the primary site goes dark, you would update the DNS record to redirect to the second site (could take upto 48 hours though)

    Author Comment

    Thanks for your reponse.

    Can someone please clarify the following:

     - Is it possible to have company.local and as a wild card name in ONE SSL Certificate
    LVL 14

    Accepted Solution

    No because a wild card is *.domain so this would be either or .local but not both.
    LVL 49

    Expert Comment

    you cannot have alternate names in a wildcard certificate
     and you do NOT need the server names in your SAN, technically you would need only

    If you want to be rechable from inside on the .local then you can add mail.domain.local also
    LVL 2

    Expert Comment

    We found that the only way it worked properly for us it to get a UC cert and list the following as the Subject Alternate Names.  When we tried to use wildcard certs we kept getting errors when trying to connect via owa through TMG.


    Author Closing Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now