Solved

Is it possilbe to use the same SAN certificate on multiple CAS servers

Posted on 2013-02-04
7
512 Views
Last Modified: 2013-02-05
We have three CAS servers in our environment. Each one has its own SAN certificate. I was reading somewhere you can purchase one and install it, then export it out with the private key and install it on another CAS servers. Most of the common names  like webmail.domain.com, autodiscover.domain.com etc...are the same for all CAS servers. The only ones that would be different is the CAS FQDN and SMTP name so you would just have to make sure they were all included in the SAN.
Thing that concerns me though is when you generate the first SAN on the first CAS, it creates a private key that you can see when you issue a get-exchangecertificate command. Later, when you get your certificate from the vendor, you can import it in and the private key is there to match the certificate. On any other CAS servers, the private key is not there so will there be a problem, or does exporting the private key on the first CAS take care of this?
 These SAN certificates are expensive and we have several so reusing the same one would be a big savings.
0
Comment
Question by:osiexchange
  • 2
  • 2
  • 2
  • +1
7 Comments
 
LVL 7

Accepted Solution

by:
Robby Swartenbroekx earned 125 total points
ID: 38852650
Yes, exporting to a pfx file will also export the private key.
Also usable for exporting for a reverse proxy server.
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 125 total points
ID: 38852665
That is actually the whole purpose of purchasing a SAN certificate so that you can have multiple servernames on the same cert. As long as the cas servers FQDN is in the SAN certificate along with all of the other important system names then you should have no issues.

We just recently did this for a 2010 migration using a godaddy SAN cert. I believe we purchased one for up to 10 names and we are having no issues at all.
0
 

Author Comment

by:osiexchange
ID: 38852683
xxdcmast, that is good to know. I obviously did not do our first installation correctly. Did you find you had to include the host name of the CAS server also or just the FQDN. (ie: EXCAS1 and EXCAS1.Domain.com). I know some or all certificate vendors will be dropping support for just the host name in the near future. I always though it had to be included and did so in our SAN's.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 35

Expert Comment

by:Joseph Daly
ID: 38852696
We did do that for our 2007 environment. SERVERNAME AND SERVERNAME.DOMAIN.COM however for our 2010 environment we only used the FQDN.

Some people like godaddy and some dont but for stuff like this they are one of the cheapest/best. We got a 10 name 5 year SAN cert for I believe just under 600 dollars.
0
 
LVL 7

Expert Comment

by:Robby Swartenbroekx
ID: 38852722
Fqdn is good. Exchange uses only dns names, no wins names anymore (unless you browse manually to the servername, but then you can easely browse to the fqdn name)
0
 

Author Comment

by:osiexchange
ID: 38852734
Only issue you might run into is a certifcate chain problem if someone did not have the intermediate or Trusted root in their store. You don't have to worry about this for the big ones like Verisign and Entrust but 600 for a 5 year cert is a good price
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38853252
That depedsn on your licence.
Verisign and the other major players on licence the SSL certificate for use on a single server, if you want to use it on multiple servers then you have to pay more money.
GoDaddy (Starfied) allow unlimited server use. Therefore if you are going to use an existing certificate check what your rights are. If a new certificate then shop around for an unlimied server use certiifcate.

Simon.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question