Is it possilbe to use the same SAN certificate on multiple CAS servers

We have three CAS servers in our environment. Each one has its own SAN certificate. I was reading somewhere you can purchase one and install it, then export it out with the private key and install it on another CAS servers. Most of the common names  like, etc...are the same for all CAS servers. The only ones that would be different is the CAS FQDN and SMTP name so you would just have to make sure they were all included in the SAN.
Thing that concerns me though is when you generate the first SAN on the first CAS, it creates a private key that you can see when you issue a get-exchangecertificate command. Later, when you get your certificate from the vendor, you can import it in and the private key is there to match the certificate. On any other CAS servers, the private key is not there so will there be a problem, or does exporting the private key on the first CAS take care of this?
 These SAN certificates are expensive and we have several so reusing the same one would be a big savings.
Who is Participating?
Robby SwartenbroekxConnect With a Mentor MSP engineerCommented:
Yes, exporting to a pfx file will also export the private key.
Also usable for exporting for a reverse proxy server.
Joseph DalyConnect With a Mentor Commented:
That is actually the whole purpose of purchasing a SAN certificate so that you can have multiple servernames on the same cert. As long as the cas servers FQDN is in the SAN certificate along with all of the other important system names then you should have no issues.

We just recently did this for a 2010 migration using a godaddy SAN cert. I believe we purchased one for up to 10 names and we are having no issues at all.
osiexchangeAuthor Commented:
xxdcmast, that is good to know. I obviously did not do our first installation correctly. Did you find you had to include the host name of the CAS server also or just the FQDN. (ie: EXCAS1 and I know some or all certificate vendors will be dropping support for just the host name in the near future. I always though it had to be included and did so in our SAN's.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Joseph DalyCommented:
We did do that for our 2007 environment. SERVERNAME AND SERVERNAME.DOMAIN.COM however for our 2010 environment we only used the FQDN.

Some people like godaddy and some dont but for stuff like this they are one of the cheapest/best. We got a 10 name 5 year SAN cert for I believe just under 600 dollars.
Robby SwartenbroekxMSP engineerCommented:
Fqdn is good. Exchange uses only dns names, no wins names anymore (unless you browse manually to the servername, but then you can easely browse to the fqdn name)
osiexchangeAuthor Commented:
Only issue you might run into is a certifcate chain problem if someone did not have the intermediate or Trusted root in their store. You don't have to worry about this for the big ones like Verisign and Entrust but 600 for a 5 year cert is a good price
Simon Butler (Sembee)ConsultantCommented:
That depedsn on your licence.
Verisign and the other major players on licence the SSL certificate for use on a single server, if you want to use it on multiple servers then you have to pay more money.
GoDaddy (Starfied) allow unlimited server use. Therefore if you are going to use an existing certificate check what your rights are. If a new certificate then shop around for an unlimied server use certiifcate.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.