Exchange UUC/SAN certificate

What should the Common Name on a UUC/SAN certificate be named? This is for an Exchange 2010 server. The cert would be supporting all exchange's certificate needs. i.e. ActiveSync, AutoDiscover, OWA, Outlook Anywhere. We also have Outlook 2010 fat clients on internal domain.

 Also, my internal exchange server name is different from the outward facing name which is mail.nhmelab.net



Should the common name be mail.nhmelab.net

or

nhmelab.net

If mail.nhmelab.net should be common name, I would also need to add nhmelab.net as a san member: Yes or No?
ShiftAltNumlockAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Simon Butler (Sembee)Connect With a Mentor ConsultantCommented:
Personally I would disagree.
The common name would be the host name that you are going to use most often - in most cases that would NOT be the root of the domain, but something like host.example.com.
You can get away with just two host names - mail.example.com and Autodiscover.example.com, any others would be used within Exchange if you choose to, but have no functionality effect on the operation of Exchange.

Simon.
0
 
Sushil SonawaneCommented:
If you are use UUC/SAN certificate for your exchange server then you have to create san certificate common name "nhmelab.net".

These include your all prefix domain like.

autodiscover.nhmelab.net
mail.nhmelab.net
pop.nhmelab.net
smtp.nhmelab.net



You can purchase SAN certificate from third party for more info refer below link:

http://support.microsoft.com/kb/929395


Or


You can create a new SAN certificate using exchange for more info refer below link :

http://technet.microsoft.com/en-us/library/aa995942.aspx
0
 
ShiftAltNumlockAuthor Commented:
And here lies the problem. From the research I have done so far, the vast majority agree with you, Simon, but there are a few that side with Sushil, including Microsoft Exchange server. During the CSR process, exchange defaulted nhmelab.net as the common name. I am still at this step of the CSR setup process and have the ability to change this. If I can't get anymore info on this, I am going to go with the majority on this.
 CSR Process doesn't pick FQDN for common name by default.
0
 
ShiftAltNumlockAuthor Commented:
I actually called GoDaddy to get their take on this. They also agree that you SHOULD use FQDN for common name on a UUC cert to secure Exchange. They admit that Microsoft Exchange 2010 selects to root domain for common name during CSR generation, but they could not explain the reason for this. That being said, I think I will go with using mail.nhmelab.net for the common name. Thanks to all who chimed in on this question.
0
 
ShiftAltNumlockAuthor Commented:
Thanks Simon, I am glad you are out there and responding so quickly. You will most likely see more questions from me. I decided that this Exchange migration was too complex to try without doing a simulation, so I am doing it all in a VM lab 1st.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.