Exchange 2010 SSL Cert

What is the best method for getting internal and external SSL certification's working with Exchange 2010.  Namely for autodiscover and owa.

Our FQDN is a company.local, so that makes it more difficult since the SSL standards have changed from what I have read.

I do own a GoDaddy UCC cert, which would work for my external pointed,, etc.  

Is there a way to use the GoDaddy cert for external, just IIS services I assume, then use an internal self signed for when users use Outlook, Owa internal address, etc?

We are a company of 10 offices, so re-doing the domain is not really an option at this point.
Who is Participating?
NetoMeter ScreencastsConnect With a Mentor Commented:
If you already have a GoDaddy UCC, using a SRV record for autodiscover is definitely not the smartest approach (with all due respect to the Genius advice).

You would like to use a SRV record with a single domain certificate, and it comes with the corresponding redirection popup.

If the UCC is valid and:
1. Contains the minimum required FQDN - "" and ex. ""
2. You have the corresponding records for these FQDN in the external DNS zone

no changes are required in the certificate and external DNS zone. If you have internal FQDN in it, such certificates will be revoked 2016. You can get fully compliant by generating a new CSR without the internal name and replacing the existing cert.

You need to perform the following changes on the internal network, though:
1. Configure Split-Brain DNS or PinPoint DNS zones (I recommend the latter) for the Public FQDN in certificate on the local network DNS.
2. Modify the internal Exchange URL.

Since we are talking about Exchange 2010, you can change the OAB, OWA, ActiveSync in EMC (just copy the external URL over the internal one).

The SCP (Autodiscover Internal URI) and Web Services (which is often forgotten) should be modified the same way but in EMS.
Adam BrownSr Solutions ArchitectCommented:
You can use a SRV record to get rid of the certificate errors. I wrote a blog on the subject here:

The key is to create a SRV record in your Internal domain that points to If you don't have split horizon DNS, this will force your internal clients to query the public IP address, but if you have an internal DNS zone with pointing to the internal IP of the the CAS server you can prevent this. The SRV record should be set up in your .local DNS zone and you should not have an record.
DerekFGAuthor Commented:
Okay, so can I do the same thing for internal OWA?

We are set up so that forwards to the public static ip of our main firewall for smtp, then is sent to our Barracuda unit. forwards to the exchange server for https forwards to public ip of main firewall then to exchange server

All of that should work as is...

Do I need to create another SRV record for so if users try to access internally they will not get an SSL error?

I do have a DNS zone, current mail. has an A record that points at the exchange server.  I also have an A record that points to the same.  These should be removed as well since we are creating the SRV records, as well as any A records in the .local zone?

Sorry for all the questions, just need to wrap my head around how this is going to route owa and autodiscover and get rid of those ssl errors.
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Adam BrownSr Solutions ArchitectCommented:
For owa you would need to have an internal dns zone that had pointing to the internal ip of the cas server. No srv record needed. The srv record tells outlook where to go for autodiscover. Owa just needs to be accessed using aa host name on the certificate.
Adam BrownSr Solutions ArchitectCommented:
Srv records are a perfectly valid approach. So is modifying the uris. Srv requires less effort.
NetoMeter ScreencastsCommented:
Yes, it is a valid approach and I do recommend it to companies on a tight budget with a small number of remote clients. As I've mentioned, you get a redirection popup warning (Outlook Anywhere) and that is frustrating when you have a lot of remote clients.

In this example, there is already a GoDaddy UCC in place. It supports Subject Alternative names and you can set one of them to be "" (if it's not already set).

if you already have UCC, using a server record for autodiscover is plain stupid.
Simon Butler (Sembee)ConsultantCommented:
The only way I would deploy this is split DNS so the external name resolves internally.
Configure Exchange to use the external host name for internal purposes as well.
Autodiscover DNS - well you can leave that where it is internally, but if you don't have any clients on the internal network that are NOT members of the domain, then you don't even need it.

Autodiscover SRV records I use only when I am stuck with a single name certificate (usually because someone bought a VeriSign overpriced certificate for five years) or hosting a lot of domains. Otherwise I do not use them.

NetoMeter ScreencastsCommented:
That's exactly what I've said, Sembee.

The only difference is that I recommend PinPoint DNS zones instead of Split Brain DNS zones, and that's the intelligent way to go, especially if you have just one or two zones to create - it's the set it and forget it approach, instead of managing two zones (internal and external one).

#Autodiscover DNS - well you can leave that where it is internally

I don't agree with that as well. It doesn't cost you anything to configure it, and leaving it is looking for trouble. The fact is that you do have tablets and mobile devices that use the internal wireless and are not members of the domain.
DerekFGAuthor Commented:
Thank you for all of the answers.  I think NetoMeter has it nailed for my environment, although it seems there are a lot of ways to achieve what I am looking to do.

NetoMeter (love the site by the way) - is there anyway to contact you directly on a few questions semi relevant to this?  I don't see a PM feature on this site, and would not wish to fill this thread with back and forth chat not fully related.
NetoMeter ScreencastsCommented:
The contact info or the chat button.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.