Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Assigning SSL certs across multiple servers

Posted on 2014-04-23
Medium Priority
Last Modified: 2014-04-28
We’re venturing down the path of migrating to Office 365 from an on premise Exchange 2010 DAG environment.  We’re a small non-profit without much hardware and we’re not looking to maintain on  premise Exchange servers; once the accounts have been migrated, we’ll remove the Exchange servers.  We’ll be doing a phased conversion thus we’ll be using DirSync and ADFS with a hybrid installation.  We presently have an internally signed cert which has served us well but obviously this won’t work for Office 365.  We use OWA for external email users.  

Reading the installation docs, it appears that we’ll need a cert for ADFS.  If I get a SAN cert, generated from the ADFS installation, can I share that between ADFS and Exchange, and if so, how?  And how does this affect communication between the DAG servers? I suppose it would be a best-practice to do this off-hours but is there a way of “backing up” my existing cert to restore that if things go bad? Finally, since we are a non-profit, anyone know of good, cheap cert providers?
Question by:ejefferson213
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 14

Assisted Solution

BlueCompute earned 600 total points
ID: 40019538
Free SSL certs are available from StartCOM. If you want to pay, GoDaddy are the cheapest, but they're also absolutely horrible in every other way - just use StartSSL and have done with it.
ADFS can share a certificate with Exchange and Outlook Web Access; generate the request using IIS as per normal, install the certificate in IIS and also install it anywhere else you need the certificate. I'd probably not bother using a SAN certificate; just get 2 issues for the names you'll actually be using. IIS keeps old certificates when you add new ones, so there's no specific requirement to back the certificates up manually,

Generating the request:
Installing the signed certificate in IIS:
Installing the cert as an ADFS Communications certificate:
Setting certs in Exchange Shell:
LVL 27

Assisted Solution

Steve earned 400 total points
ID: 40019549
firstly, self cert SSLs are not ideal for exchange and some issues simply cannot be fixed without purchasing a proper SSL.
Once you have a suitable SSL you can use it for many purposes, including ADFS.

many cheap options exist, but the basic certs from Godaddy are a good bet.

you can install a purchased cert alongside your existing self cert, and you can easily swap between them as required. So you can always go back to the original if you feel there's an issue.

Warning: it is increasingly difficult to purchase a cert for 'internal' domains (eg domain.local, domain.private) so you may have to assess the FQDNs you need the cert on before going ahead.
LVL 64

Accepted Solution

btan earned 1000 total points
ID: 40019726
You probably has sen this for Plan for third-party SSL certificates for Office 365. Certificates are required for the following Office 365 components:
Exchange on-premises
Single sign-on (SSO) (for both the Active Directory Federation Services (AD FS) federation servers and AD FS federation server proxies)
Exchange Online services, such as Autodiscover, Outlook Anywhere, and Exchange Web Services
Exchange hybrid server

Probably you should see this for Certificate Planning in Exchange 2013 and this for Exchange Hybrid Deployment and Migration with Office 365

But specifically, MS recommends this for
We recommend that you use a dedicated third-party certificate for the AD FS server, another certificate for the Exchange services on your hybrid server, and if needed, a certificate on your Exchange server. Federated delegation on the hybrid server uses a self-signed certificate by default. Unless you have specific requirements, there's no need to use a third-party certificate with federated delegation.
The services that are installed on a single server may require that you configure multiple fully qualified domain names (FQDNs) for the server. Purchase a certificate that allows for the required number of FQDNs. Certificates consistent of the subject, or principal, name, and one or more subject alternative names (SAN). The subject name is the FQDN that the certificate is issued to. SANs are additional FQDNs that can be added to a certificate in addition to the subject name. If you need a certificate to support five FQDNs, purchase a certificate that allows for five domains to be added to the certificate: one subject name and four SANs.

Another note for SSO purposes
-Single sign-on with AD FS requires Active Directory on-premises.
-Single sign-on requires that you install and run the Microsoft Online Services Directory Synchronization tool.
-If you plan to migrate all mailboxes to the cloud and set up single sign-on, you can’t deploy AD FS or directory synchronization before you run a cutover Exchange migration in the Exchange Control Panel. You can, however, run a staged Exchange migration after you deploy AD FS and directory synchronization.

Earlier mentioned, for the case of hybrid, ADFS and ADFS proxy are needed and the guided step in importing a Server Cert is necessary to import a server authentication certificate on each ADFS server. The key is  a single name SSL (or SAN) certificate is sufficient (as compared to using wildcard cert) and if you use a single name certificate, the FQDN included should match the FQDN that you configured for the ADFS server.

It will be good to look through from the steps shared as good overview. Minimally understand the flow for co-existence and identity checks is validated with AD remains at your site (instead of cloud).

Note: The WAAD Sync tool was formerly known as the Directory Synchronization tool (DirSync tool).
LVL 64

Expert Comment

ID: 40019760
Also if using the same public certificate for Office 365 Hybrid internally and externally, depending on your internal environment complexity, a more complex type and/or you do not have split brain DNS (this means you cannot use the same URL for your services internally and externally) then you will need to use multiple certificates. If you are in this circumstance I recommend that you plan for your internal certificate requirements first and then add on your Office 365 Hybrid requirements. Once you have a combined list of names it is much easier to plan your certificate locations and generate the requests accordingly.

Some best practices also mentioned by MS here for the choice of certificate. Note wildcard and SAN is different though both will work, preferably be specific and secure using SAN cert instead. Also not all CAs support SAN certificates, and other CAs don't support as many host names as you might need.

You can actually make a certificate request from the IIS and submit to the 3rd party CA for signing as shared here. Make sure that the common name matches what you plan to call the AD FS server farm.  Microsoft best practices recommends that you use the host name STS (secure token service).

E.g. of 3rd party CA include GoDaddy

Author Closing Comment

ID: 40027200
Thank you all for your support and comments; it is greatly appreciated!!

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
how to add IIS SMTP to handle application/Scanner relays into office 365.
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question