Is it possilbe to use the same SAN certificate on multiple CAS servers

Posted on 2013-02-04
Last Modified: 2013-02-05
We have three CAS servers in our environment. Each one has its own SAN certificate. I was reading somewhere you can purchase one and install it, then export it out with the private key and install it on another CAS servers. Most of the common names  like, etc...are the same for all CAS servers. The only ones that would be different is the CAS FQDN and SMTP name so you would just have to make sure they were all included in the SAN.
Thing that concerns me though is when you generate the first SAN on the first CAS, it creates a private key that you can see when you issue a get-exchangecertificate command. Later, when you get your certificate from the vendor, you can import it in and the private key is there to match the certificate. On any other CAS servers, the private key is not there so will there be a problem, or does exporting the private key on the first CAS take care of this?
 These SAN certificates are expensive and we have several so reusing the same one would be a big savings.
Question by:osiexchange
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1

Accepted Solution

Robby Swartenbroekx earned 125 total points
ID: 38852650
Yes, exporting to a pfx file will also export the private key.
Also usable for exporting for a reverse proxy server.
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 125 total points
ID: 38852665
That is actually the whole purpose of purchasing a SAN certificate so that you can have multiple servernames on the same cert. As long as the cas servers FQDN is in the SAN certificate along with all of the other important system names then you should have no issues.

We just recently did this for a 2010 migration using a godaddy SAN cert. I believe we purchased one for up to 10 names and we are having no issues at all.

Author Comment

ID: 38852683
xxdcmast, that is good to know. I obviously did not do our first installation correctly. Did you find you had to include the host name of the CAS server also or just the FQDN. (ie: EXCAS1 and I know some or all certificate vendors will be dropping support for just the host name in the near future. I always though it had to be included and did so in our SAN's.
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

LVL 35

Expert Comment

by:Joseph Daly
ID: 38852696
We did do that for our 2007 environment. SERVERNAME AND SERVERNAME.DOMAIN.COM however for our 2010 environment we only used the FQDN.

Some people like godaddy and some dont but for stuff like this they are one of the cheapest/best. We got a 10 name 5 year SAN cert for I believe just under 600 dollars.

Expert Comment

by:Robby Swartenbroekx
ID: 38852722
Fqdn is good. Exchange uses only dns names, no wins names anymore (unless you browse manually to the servername, but then you can easely browse to the fqdn name)

Author Comment

ID: 38852734
Only issue you might run into is a certifcate chain problem if someone did not have the intermediate or Trusted root in their store. You don't have to worry about this for the big ones like Verisign and Entrust but 600 for a 5 year cert is a good price
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38853252
That depedsn on your licence.
Verisign and the other major players on licence the SSL certificate for use on a single server, if you want to use it on multiple servers then you have to pay more money.
GoDaddy (Starfied) allow unlimited server use. Therefore if you are going to use an existing certificate check what your rights are. If a new certificate then shop around for an unlimied server use certiifcate.


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question