We help IT Professionals succeed at work.

SSL Cert for multiple CAS

Chuck Cobern
Chuck Cobern asked
Medium Priority
Last Modified: 2012-08-20
I upgrading an Exchange 2003 environment to 2010. What I currently have is:

2 CAS/HT Server - HUBCAS-01.domain.local; HUBAS-02.domain.local
1 Mailbox Server - MBX-01.domain.local

I have created a CAS array by using  New-ClientAccessArray -Fqdn "outlook.domain.local" -Site "Default Site". I have also created a DNS A record that points to a VIP of a hardware load balancer we will be installing.

From HUBCAS-01, I issued a cert request using:

Set-Content -path ".\webmail_company_com.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName autodiscover.company.com -PrivateKeyExportable $True)

After downloading my certificate, I logged into HUBCAS-01, went into MMC and imported the intermediate certificate, and then from EMC, right-clicked the certificate and selected "Complete Pending Request" and selected my new certificate. I then assigned SMTP and IIS services to the certificate.

My question is, how do I get that same certificate into HUBCAS-02, since I did not generate that certificate from that server? And how does that work with the CAS Array?
Watch Question

Jim MillardSenior Solution Engineer

On the server from which you generated the cert, you must export the cert including the private key. Once you have that file, it can be imported into the private machine store on the second machine.


Would using the example at the bottom of this article be the correct way?

Jim MillardSenior Solution Engineer

That looks like a valid PS method.
My friend you've issued wrong cmdlet.

Here is what you wrote and mentioned below is the corrected entry

Set-Content -path ".\webmail_company_com.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName autodiscover.company.com -PrivateKeyExportable $True)

Set-Content -path ".\webmail_company_com.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName autodiscover.company.com, webmail.company.com, CAS NETBIOS NAME, CAS FQDN -PrivateKeyExportable $True)

Understand if you do not add these names to the cert - you would receive a security alert while working in OL cause you're server name is essential along with your webmail FQDN.

Importing and Enabling the SAN SSL certificate on the Second Client Access Server in the NLB Cluster

To import the SAN certificate on the second Client Access server in the NLB cluster, we first need to export it from the first Client Access server. When doing so, we need to make sure we export the certificate with its private key. This is done by opening the Certificates snap-in. To open the Certicates snap-in, click Start > Run and type mmc.exe to first open an empty MMC window. Now click File > Add/Remove Snap-in > Add > Select Certificates > Click Add > Select Computer Account > Click Next > Finish > Close and finally OK. Expand Certificates (Local Computer) > Personal, then right-click on the certificate that should be exported. On the context appearing menu, select All Tasks



Thank You Exchange_Geek. By CAS Netbios name and CAS Fqdn, would you mean of the two CAS servers or of the CAS array (outlook.domain.com), or both?

I'm assuming at this point, I would need to revoke that certificate and then regenerate it with all the proper SAN's, import it into the first CAS, then export it via one of the method's outlined above?
Why not create a CAS Array and associate the cert that'll include the Array name in it?

OR if you want both the boxes to not have high availability - include in the SAN, both CAS Boxes FQDN and NETBIOS along with SRV for _autodiscover._tcp.domain.com pointing to webmail address ++ webmail.domain.com pointing to one of the CAS Servers.

That's it. Now, if you do not use one of the options above - let me explain you the consequences.

You look towards having two separate servers and not CAS Array - that'll be a dicy - and let me explain you why.

The easy way out is to have each server associated with its own CAS box, and have each CAS box with the following cert SAN:


All would work good, cause OL would be configured with CAS Server Name, and there would be no errors what so ever.

Problem would start when users would be moved across to another server OR if the first CAS box goes down, you'll have to repoint the mailboxes to second CAS server via DNS and shell cmd RPCClientAccessServer - however, remember CAS2 would still hold cert that belongs to itself and not CAS1 - hence OL would prompt for security alert warning stating that the cert does not hold FQDN of the respective server.

At this point, you'll have to re-issue a new cert that would then have the two CAS FQDN ++ NETBIOS - which would solve your problem eventually and by this time, you would have been cursing Exchange Product team to the core :)



So if my CAS Array is outlook.domain.com, I would revoke the existing certificate and issue another one with the following:

Set-Content -path ".\webmail_company_com.txt" -Value (New-ExchangeCertificate -GenerateRequest -KeySize 2048 -SubjectName "c=US, s=TX, l=Austin, o=Company Inc., cn=webmail.company.com" -DomainName webmail.company.com, autodiscover.company.com, outlook, outlook.company.local -PrivateKeyExportable $True)

I would need to import this certificate into CAS1, then export it with its private key and import into CAS2. Correct?


Explore More ContentExplore courses, solutions, and other research materials related to this topic.