installing exchange 2010 certificate just for webapp with two ssl certification

Posted on 2012-09-14
Last Modified: 2013-01-16
assume an exchange 2010 organization serving about 20 accepted domains

our external clients are not allowed to use outlook

they just use web browsers and outlook webapp

i have set records in our dns service provider for all accepted domains as

assume we have and and accepted domains

external clients connect to and

these addressess direct them to ex 2010 outlook webapp and so everything is ok

and now about certificates. right now we are using domain (internal 2008 r2 domain) certificates so definitely external clients get a warning on opening webpapp

i have not purchased any SAN certificate yet but i have two certificates from godaddy (currently unassigned to any web site)

now here is what i want to do :

1- i will go to my dns server (which iz zoneedit) and redirect all those webapp addresses to one --> --> -->

and then i get two certs for and

so anybody from outside goes to those url's and is redirected to and a cert is published for that (and i think autodiscover will be also used)

am i right ?

does this work ?

you know i cannot test it because once certs are issued you cannot change them and the money will be gone !:

and some more info :

1- we have just one site but three CAS, two edge and two HUB servers

2- i will just publish one owa address for all (just all the people will use it with their smtp address (their address in domain) or if needed, they will use their

3- yes ! all mx records point to our two edge servers

4- i should again tell you that nobody uses outlook from outside. they all use OWA (i should give activesync service to some users but that is not my concern for now)

so with these information in hand, is just two cert enough ? (one for and one for

and by the way, should these be installed in IIS ?! or in exchange server certificate

because owa is a website i think certs should be requested and installed in cas server IIS ! am i right ?

but on the other hand i have seen that all certs (including autodiscover, legacy, pop3s, activesync and.. are installed using the exchange management console)

i am somehow confused in this scenario ;(
thanks for your help
Question by:vadoodetm
    LVL 63

    Expert Comment

    by:Simon Butler (Sembee)
    You are wrong about the SSL certificates for a start - as you can get them rekeyed on the GoDaddy system.

    However it isn't going to work for you unless you do a web redirect. That will have to be to - if you try and do anything else, like a CNAME then it isn't going to work.

    For autodiscover, you will have to use SRV records. That will mean you can do without the SSL certificate.
    One for each domain.

    That way you will be able to use a single name SSL certificate externally.
    That will also affect internal use, so you shoudl probably do the complete procedure for single host name certificate:

    Do everything for SSL through Exchange. They will be installed in to IIS by Exchange.

    LVL 1

    Author Comment

    First of all thanks Simon

    So, are u sure about godaddy ? you mean if i get a certificate for and later i decide to use it for another domain like, i can easily manage it with godaddy ? they revoke the first one and issue a second ?

    and about the redirection ! it is not much of a work ! i can do it with my DNS service provider (ZoneEdit) or i can simply tell people to use https address

    and lets go to the main part.

    Ok ! note that my clients from outside never use outlook, just webapp
    so i need only certificate for my https://myowaaddress ( i have set a dns named email for that so when people enter they will see the OWA page)
    and autodiscover records are set in my external dns provider

    so, by these info, are certificates for and enough ? (and even as u said, it is not necessary to obtain one for autodiscover)
    (by the way, it says SRV record usage is for outlook-not-joined-to-domain clients, but all external clients use outlook webapp only, does this make a differnece ?)

    as i told you, i will redirect all other addresses like or (sub are other accepted domains) to

    and the second question
    u say do everything through Exchange and it will install them on IIS.

    i have internal CA (internal domain CA) for my inside clients (and thats why the externals get a warning on opening webapp cause it is not from a 3rd party trusted CA ! it is just an internal domain CA)
    now you said put your certificate through exchange. here is my question :
    am i allowed to use 2 Certificates on my exchange server ?!
    and then force exchange to use the internal one for clients from inside and the other one for clients connecting from outside ?!

    Thanks for your help
    LVL 63

    Expert Comment

    by:Simon Butler (Sembee)
    If you don't have anyone from external using Outlook then you don't need Autodiscover at all. Autodiscover can work inside on domain clients using any URL in the SSL certificate.

    You cannot have two SSL certificates on the same virtual server in IIS. That is why we usually use SAN/UC certificates, as it allows an internal and external name on the same SSL certifificate. However internal names on commercial certificates are not going to be allwoed soon, so a split DNS system with the same host name internally and externally is the way forward. Also makes training staff easier as you just tell them one URL.

    LVL 1

    Author Comment

    Thanks Simon
    So can i know your final suggestion ?
    getting a SAN certificate ?
    in summary what i want is this :
    an internal CA for internal clients (outlook or webapp) so they do not get a cert warning (the same as it is working now)
    and a cert for external clients from digicert or godaddy or ... so they can also connect without warning using webapp
    i wish exchange had this ability to use a cert for some clients and another for some other clients ! i also wish to get cert for some of my accepted domains but not for all of them and AFAIK exchange does not have ability to say ok use this cert for these domains and that cert for those, ... anyway
    i am waiting for your suggestion for my condition (also consider that i have a couple of standard (not UC) certs from godaddy in my hand
    and i should add that i have bought the domain name for my internal domain in world wide web. i mean my internal name is for example and i also own the domain name on internet (clients from outside use
    LVL 63

    Expert Comment

    by:Simon Butler (Sembee)
    The issue with SSL certificates isn't Exchange - it is the web server. IIS, Apache, whatever, they all work in the same way. One certificate one host name, one IP address.

    The only way that you can have different certificates for different people would be with two web sites. That will require two IP addresses. However that adds in additional complexity as certain things have to run in the default web site to work correctly. Outlook Anywhere has to be in the default web site, but the internal name of the Exchange server also needs to resolve to the default web site for ActiveSync and others to work.

    The easiest solution would be a SAN/UC certificate. That will allow you to put both the internal and external names in to the same certificate. Then use SRV records for the autodiscover arrangements for external users.

    LVL 1

    Author Comment

    Thanks Simon ! Thanks so much !
    now can you please help me with this
    i have about 20 accepted domains and the scenario and topology which i described before
    So, we have external webapp clients connecting to just one address ( (and if they use the zoneedit dns service will redirect them to
    internal clients also use the same address for webapp or use outlook (and the domain name is - our internal domain 2008 i mean)

    so with these in hand, is a 5-pack SAN cert enough ? i will put these in that : (internal address of server. of course i should mention that we have two cas servers " mycasserver01 and mycasserver02 which are in a cas array) (maybe we give clients outlook access from outside) (we have some iphones out of the company and i think this is necessary for them)

    Again please note that we have so many accepted domains but the condition and the design in my mind is what i told you above (all requests are redirected to
    so am i right here ?
    LVL 63

    Expert Comment

    by:Simon Butler (Sembee)
    That is what the SRV records are for - so that you don't have to cover all of the domain in the certificate.

    Use the same host name for all domains for:

    MX Records
    Outlook Anywhere

    The SRV records direct autodiscover to the certificate.
    Internally, all clients use the same host name for autodiscover, which is configured on set-clientaccessserver as the value of AutodiscoverServiceInternalURI.

    Don't overcomplicate matters.

    LVL 1

    Author Comment

    SRV Record is ok inside domain
    but my external dns provider does not provide me with these types of records
    it just gives me a table which i can have an entry and a related ip to that (in zoneedit you can also have a redirect url instead of ip) but no srv records
    so i am still a bit confused about my suggestion in the previous post :)
    is a 5-cert pack from a third party enough for my situation ?
    LVL 63

    Accepted Solution

    If you cannot setup SRV records then I see it that you have three options.

    1. Move DNS providers to someone who does. I personally use Nettica and can use SRV records with them. Not supporting SRV records is going to be limiting these days, more and more services are using them. I was sure that zoneedit does support SRV records.

    2. Get an SSL certificate with more slots so that you can use autodiscover for each host name.

    3. Configure the redirection method. This has to be done carefully and will generate prompts on the users. Start with this page at Technet: then follow the link at the bottom for the redirection configuration instructions. I don't think you will be using the redirect option in the DNS provider.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    The problems with reply email signatures

    Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

    Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
    Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
    To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
    The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now