Solved

Is it possilbe to use the same SAN certificate on multiple CAS servers

Posted on 2013-02-04
7
481 Views
Last Modified: 2013-02-05
We have three CAS servers in our environment. Each one has its own SAN certificate. I was reading somewhere you can purchase one and install it, then export it out with the private key and install it on another CAS servers. Most of the common names  like webmail.domain.com, autodiscover.domain.com etc...are the same for all CAS servers. The only ones that would be different is the CAS FQDN and SMTP name so you would just have to make sure they were all included in the SAN.
Thing that concerns me though is when you generate the first SAN on the first CAS, it creates a private key that you can see when you issue a get-exchangecertificate command. Later, when you get your certificate from the vendor, you can import it in and the private key is there to match the certificate. On any other CAS servers, the private key is not there so will there be a problem, or does exporting the private key on the first CAS take care of this?
 These SAN certificates are expensive and we have several so reusing the same one would be a big savings.
0
Comment
Question by:osiexchange
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 7

Accepted Solution

by:
Robby Swartenbroekx earned 125 total points
Comment Utility
Yes, exporting to a pfx file will also export the private key.
Also usable for exporting for a reverse proxy server.
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 125 total points
Comment Utility
That is actually the whole purpose of purchasing a SAN certificate so that you can have multiple servernames on the same cert. As long as the cas servers FQDN is in the SAN certificate along with all of the other important system names then you should have no issues.

We just recently did this for a 2010 migration using a godaddy SAN cert. I believe we purchased one for up to 10 names and we are having no issues at all.
0
 

Author Comment

by:osiexchange
Comment Utility
xxdcmast, that is good to know. I obviously did not do our first installation correctly. Did you find you had to include the host name of the CAS server also or just the FQDN. (ie: EXCAS1 and EXCAS1.Domain.com). I know some or all certificate vendors will be dropping support for just the host name in the near future. I always though it had to be included and did so in our SAN's.
0
Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
We did do that for our 2007 environment. SERVERNAME AND SERVERNAME.DOMAIN.COM however for our 2010 environment we only used the FQDN.

Some people like godaddy and some dont but for stuff like this they are one of the cheapest/best. We got a 10 name 5 year SAN cert for I believe just under 600 dollars.
0
 
LVL 7

Expert Comment

by:Robby Swartenbroekx
Comment Utility
Fqdn is good. Exchange uses only dns names, no wins names anymore (unless you browse manually to the servername, but then you can easely browse to the fqdn name)
0
 

Author Comment

by:osiexchange
Comment Utility
Only issue you might run into is a certifcate chain problem if someone did not have the intermediate or Trusted root in their store. You don't have to worry about this for the big ones like Verisign and Entrust but 600 for a 5 year cert is a good price
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
That depedsn on your licence.
Verisign and the other major players on licence the SSL certificate for use on a single server, if you want to use it on multiple servers then you have to pay more money.
GoDaddy (Starfied) allow unlimited server use. Therefore if you are going to use an existing certificate check what your rights are. If a new certificate then shop around for an unlimied server use certiifcate.

Simon.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now