Exchange 2010 SP2 multi tenant, SSL certificate per domain

We have a multi tenant Exchange 2010 SP2 system, we're hosting multiple clients, each client has its down domain. For example: client1 -> & client2 ->

Currently each client access OWA via our main domain:
Each customer can configure his Outlook using our mail domain:
or using its own domain or

One of my customers told me that he is getting certificate warnings from Outlook, he has his domain configured as exchange server: and the warnings are coming about his domain.

Our main domain has an SSL certificate installed, I can see it's working in the Exchange Console and also our IIS OWA is protected.

How can I install a separate SSL certificate for each customer? I have bough a wildcard SSL for him * and I want to use it so he will stop receiving this alerts.

Thank you.
Who is Participating?
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
This isn't how multi tenant works.
You are setup correctly, it is your customer's DNS settings that are wrong.
Almost certainly they have a wildcard in their DNS and resolves somewhere else, to a place there there is an SSL certificate in place for another domain. If you get the client to look at the certificate that should confirm it. Removing the wildcard form the DNS will resolve the problem.

m4dd0gAuthor Commented:
Thanks, is it possible to exclude a record from * wildcard record in dns zone ?
Simon Butler (Sembee)ConsultantCommented:
No. There is no such thing as an exclusion in DNS.
The wildcard must be removed. The closest you can get is to blackhole autodiscover (So set it to but that can cause problems with Outlook clients so it isn't a recommended path.

There should be no need for a wildcard in DNS - it is just laziness from hosting companies.

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

m4dd0gAuthor Commented:
the clients keep receiving the message after disabling the autodiscover,
the warning they receive is:
"the certificate cn name does not match the passed value"
"Do you want to continue using this server?"

thanks for help.
Simon Butler (Sembee)ConsultantCommented:
You need to look at the certificate to see where it is coming from. Their DNS is obviously not setup correctly.

Simon Butler you are a wise man.

I like to ship in a couple of my own tips.

Sometimes, we folks who do multi tenant Exchange hosting do not have the luxury of managing the DNS for the client's domain, we have no say if they do a wildcard host name, only the MX records are pointing to our system.  The way we overcome DNS problems when someone else manages it, is as followed:

Make sure the autodiscover feature of the primary domain ( is working properly, since all the tenant domains rely on the primary domain's SSL certificate.  In particular, make sure the SRV record for the primary domain is fully spelled out, i.e _autodiscover, _tcp, 0,0,443, SSL name.  

If an incorrect client domain autodiscover record is causing error with your SSL certificate, as in the above example, when does not match the name of the certificate, namely, then we simply block the host name by adding to on the client's PC "hosts" file.  This will eliminate the certificate pop up error.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.