Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 548
  • Last Modified:

Is it possilbe to use the same SAN certificate on multiple CAS servers

We have three CAS servers in our environment. Each one has its own SAN certificate. I was reading somewhere you can purchase one and install it, then export it out with the private key and install it on another CAS servers. Most of the common names  like webmail.domain.com, autodiscover.domain.com etc...are the same for all CAS servers. The only ones that would be different is the CAS FQDN and SMTP name so you would just have to make sure they were all included in the SAN.
Thing that concerns me though is when you generate the first SAN on the first CAS, it creates a private key that you can see when you issue a get-exchangecertificate command. Later, when you get your certificate from the vendor, you can import it in and the private key is there to match the certificate. On any other CAS servers, the private key is not there so will there be a problem, or does exporting the private key on the first CAS take care of this?
 These SAN certificates are expensive and we have several so reusing the same one would be a big savings.
0
osiexchange
Asked:
osiexchange
  • 2
  • 2
  • 2
  • +1
2 Solutions
 
Robby SwartenbroekxMSP engineerCommented:
Yes, exporting to a pfx file will also export the private key.
Also usable for exporting for a reverse proxy server.
0
 
Joseph DalyCommented:
That is actually the whole purpose of purchasing a SAN certificate so that you can have multiple servernames on the same cert. As long as the cas servers FQDN is in the SAN certificate along with all of the other important system names then you should have no issues.

We just recently did this for a 2010 migration using a godaddy SAN cert. I believe we purchased one for up to 10 names and we are having no issues at all.
0
 
osiexchangeAuthor Commented:
xxdcmast, that is good to know. I obviously did not do our first installation correctly. Did you find you had to include the host name of the CAS server also or just the FQDN. (ie: EXCAS1 and EXCAS1.Domain.com). I know some or all certificate vendors will be dropping support for just the host name in the near future. I always though it had to be included and did so in our SAN's.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Joseph DalyCommented:
We did do that for our 2007 environment. SERVERNAME AND SERVERNAME.DOMAIN.COM however for our 2010 environment we only used the FQDN.

Some people like godaddy and some dont but for stuff like this they are one of the cheapest/best. We got a 10 name 5 year SAN cert for I believe just under 600 dollars.
0
 
Robby SwartenbroekxMSP engineerCommented:
Fqdn is good. Exchange uses only dns names, no wins names anymore (unless you browse manually to the servername, but then you can easely browse to the fqdn name)
0
 
osiexchangeAuthor Commented:
Only issue you might run into is a certifcate chain problem if someone did not have the intermediate or Trusted root in their store. You don't have to worry about this for the big ones like Verisign and Entrust but 600 for a 5 year cert is a good price
0
 
Simon Butler (Sembee)ConsultantCommented:
That depedsn on your licence.
Verisign and the other major players on licence the SSL certificate for use on a single server, if you want to use it on multiple servers then you have to pay more money.
GoDaddy (Starfied) allow unlimited server use. Therefore if you are going to use an existing certificate check what your rights are. If a new certificate then shop around for an unlimied server use certiifcate.

Simon.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now