Exchange 2010 SSL Cert

Posted on 2014-02-18
1 Endorsement
Last Modified: 2014-02-19
What is the best method for getting internal and external SSL certification's working with Exchange 2010.  Namely for autodiscover and owa.

Our FQDN is a company.local, so that makes it more difficult since the SSL standards have changed from what I have read.

I do own a GoDaddy UCC cert, which would work for my external pointed,, etc.  

Is there a way to use the GoDaddy cert for external, just IIS services I assume, then use an internal self signed for when users use Outlook, Owa internal address, etc?

We are a company of 10 offices, so re-doing the domain is not really an option at this point.
Question by:DerekFG
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
LVL 41

Expert Comment

by:Adam Brown
ID: 39868861
You can use a SRV record to get rid of the certificate errors. I wrote a blog on the subject here:

The key is to create a SRV record in your Internal domain that points to If you don't have split horizon DNS, this will force your internal clients to query the public IP address, but if you have an internal DNS zone with pointing to the internal IP of the the CAS server you can prevent this. The SRV record should be set up in your .local DNS zone and you should not have an record.

Author Comment

ID: 39868910
Okay, so can I do the same thing for internal OWA?

We are set up so that forwards to the public static ip of our main firewall for smtp, then is sent to our Barracuda unit. forwards to the exchange server for https forwards to public ip of main firewall then to exchange server

All of that should work as is...

Do I need to create another SRV record for so if users try to access internally they will not get an SSL error?

I do have a DNS zone, current mail. has an A record that points at the exchange server.  I also have an A record that points to the same.  These should be removed as well since we are creating the SRV records, as well as any A records in the .local zone?

Sorry for all the questions, just need to wrap my head around how this is going to route owa and autodiscover and get rid of those ssl errors.
LVL 41

Expert Comment

by:Adam Brown
ID: 39869145
For owa you would need to have an internal dns zone that had pointing to the internal ip of the cas server. No srv record needed. The srv record tells outlook where to go for autodiscover. Owa just needs to be accessed using aa host name on the certificate.
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

LVL 11

Accepted Solution

NetoMeter Screencasts earned 500 total points
ID: 39869266
If you already have a GoDaddy UCC, using a SRV record for autodiscover is definitely not the smartest approach (with all due respect to the Genius advice).

You would like to use a SRV record with a single domain certificate, and it comes with the corresponding redirection popup.

If the UCC is valid and:
1. Contains the minimum required FQDN - "" and ex. ""
2. You have the corresponding records for these FQDN in the external DNS zone

no changes are required in the certificate and external DNS zone. If you have internal FQDN in it, such certificates will be revoked 2016. You can get fully compliant by generating a new CSR without the internal name and replacing the existing cert.

You need to perform the following changes on the internal network, though:
1. Configure Split-Brain DNS or PinPoint DNS zones (I recommend the latter) for the Public FQDN in certificate on the local network DNS.
2. Modify the internal Exchange URL.

Since we are talking about Exchange 2010, you can change the OAB, OWA, ActiveSync in EMC (just copy the external URL over the internal one).

The SCP (Autodiscover Internal URI) and Web Services (which is often forgotten) should be modified the same way but in EMS.
LVL 41

Expert Comment

by:Adam Brown
ID: 39869437
Srv records are a perfectly valid approach. So is modifying the uris. Srv requires less effort.
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 39870199
Yes, it is a valid approach and I do recommend it to companies on a tight budget with a small number of remote clients. As I've mentioned, you get a redirection popup warning (Outlook Anywhere) and that is frustrating when you have a lot of remote clients.

In this example, there is already a GoDaddy UCC in place. It supports Subject Alternative names and you can set one of them to be "" (if it's not already set).

if you already have UCC, using a server record for autodiscover is plain stupid.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39871124
The only way I would deploy this is split DNS so the external name resolves internally.
Configure Exchange to use the external host name for internal purposes as well.
Autodiscover DNS - well you can leave that where it is internally, but if you don't have any clients on the internal network that are NOT members of the domain, then you don't even need it.

Autodiscover SRV records I use only when I am stuck with a single name certificate (usually because someone bought a VeriSign overpriced certificate for five years) or hosting a lot of domains. Otherwise I do not use them.

LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 39871183
That's exactly what I've said, Sembee.

The only difference is that I recommend PinPoint DNS zones instead of Split Brain DNS zones, and that's the intelligent way to go, especially if you have just one or two zones to create - it's the set it and forget it approach, instead of managing two zones (internal and external one).

#Autodiscover DNS - well you can leave that where it is internally

I don't agree with that as well. It doesn't cost you anything to configure it, and leaving it is looking for trouble. The fact is that you do have tablets and mobile devices that use the internal wireless and are not members of the domain.

Author Comment

ID: 39871205
Thank you for all of the answers.  I think NetoMeter has it nailed for my environment, although it seems there are a lot of ways to achieve what I am looking to do.

NetoMeter (love the site by the way) - is there anyway to contact you directly on a few questions semi relevant to this?  I don't see a PM feature on this site, and would not wish to fill this thread with back and forth chat not fully related.
LVL 11

Expert Comment

by:NetoMeter Screencasts
ID: 39871211
The contact info or the chat button.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question