Solved

Exchange UUC/SAN certificate

Posted on 2014-02-10
5
258 Views
Last Modified: 2014-02-11
What should the Common Name on a UUC/SAN certificate be named? This is for an Exchange 2010 server. The cert would be supporting all exchange's certificate needs. i.e. ActiveSync, AutoDiscover, OWA, Outlook Anywhere. We also have Outlook 2010 fat clients on internal domain.

 Also, my internal exchange server name is different from the outward facing name which is mail.nhmelab.net



Should the common name be mail.nhmelab.net

or

nhmelab.net

If mail.nhmelab.net should be common name, I would also need to add nhmelab.net as a san member: Yes or No?
0
Comment
Question by:ShiftAltNumlock
  • 3
5 Comments
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 39849331
If you are use UUC/SAN certificate for your exchange server then you have to create san certificate common name "nhmelab.net".

These include your all prefix domain like.

autodiscover.nhmelab.net
mail.nhmelab.net
pop.nhmelab.net
smtp.nhmelab.net



You can purchase SAN certificate from third party for more info refer below link:

http://support.microsoft.com/kb/929395


Or


You can create a new SAN certificate using exchange for more info refer below link :

http://technet.microsoft.com/en-us/library/aa995942.aspx
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39849621
Personally I would disagree.
The common name would be the host name that you are going to use most often - in most cases that would NOT be the root of the domain, but something like host.example.com.
You can get away with just two host names - mail.example.com and Autodiscover.example.com, any others would be used within Exchange if you choose to, but have no functionality effect on the operation of Exchange.

Simon.
0
 

Author Comment

by:ShiftAltNumlock
ID: 39850334
And here lies the problem. From the research I have done so far, the vast majority agree with you, Simon, but there are a few that side with Sushil, including Microsoft Exchange server. During the CSR process, exchange defaulted nhmelab.net as the common name. I am still at this step of the CSR setup process and have the ability to change this. If I can't get anymore info on this, I am going to go with the majority on this.
 CSR Process doesn't pick FQDN for common name by default.
0
 

Author Comment

by:ShiftAltNumlock
ID: 39850567
I actually called GoDaddy to get their take on this. They also agree that you SHOULD use FQDN for common name on a UUC cert to secure Exchange. They admit that Microsoft Exchange 2010 selects to root domain for common name during CSR generation, but they could not explain the reason for this. That being said, I think I will go with using mail.nhmelab.net for the common name. Thanks to all who chimed in on this question.
0
 

Author Closing Comment

by:ShiftAltNumlock
ID: 39850584
Thanks Simon, I am glad you are out there and responding so quickly. You will most likely see more questions from me. I decided that this Exchange migration was too complex to try without doing a simulation, so I am doing it all in a VM lab 1st.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
how to add IIS SMTP to handle application/Scanner relays into office 365.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now