• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 317
  • Last Modified:

SSL and Mail

Does my UCC SSL need to have my domain name alone? When it was setup it included the domain root. Right now I have

autodiscover.XXX.com
mail.XXX.com
exchange.XXX.com
and
XXX.com

Do I need the XXX.com, seems that it causes problems sometimes?

I am renewing for my website which I www.XXX.com and XXX.com. Same domains.
0
Jennifer
Asked:
Jennifer
  • 3
2 Solutions
 
Chad FranksCommented:
You could create at wildcard certificate *.xxx.com.  If you did that you could use it for anything .xxx.com related.  I have used these in the past without issues.
0
 
JenniferAuthor Commented:
I could do that on the UCC but my UCC is my exchange certificate and I only want it to be my exchange certificate. I have a different certificate for my website. I then have a separate certificate for my VPN. So do I need to have xxx.com on all?
Wouldn't putting *.domain.com on any of them cause a conflict between them?

Or should I have them separate?
mail.domain.com, autodiscover.domain.com, and server.domain.com on the UCC, vpn.domain.com on the VPN, and then www.domain.com and domain.com on the SSL for the web?
0
 
Chad FranksCommented:
There would be no conflicts using the *.domain.com, since anything registered before the .domain.com would be covered.  I have used wildcard certs in this type configuration in the past.  If you want to keep it separate, then you could create one specifically for Exchange and then use the wildcard for the rest. There would be no conflict if you used 2 different certs mail.domain.com and *.domain.com on the same server.  Since they would be used for specific applications..
0
 
Simon Butler (Sembee)ConsultantCommented:
The Microsoft wizard will usually put the root of the domain in to the certificate, and that is probably where it has come from.
Personally I don't like to use wildcard certificates with Exchange, I have had quite a few problems with them.

For Exchange, you only two host names

host.example.com - common name, which shouldn't match the server's real name
Autodiscover.example.com

No other names are required on the SSL certificate, although you can include them if you wish.
Some SSL providers will add www.host.example.com by default, but that isn't required.

Simon.
0
 
Chad FranksCommented:
You could also use SAN certificates,  Subject Alternative name, that way you can use multiple host names for the same cert.  

Using a SAN certificate saves you the hassle and time involved in configuring multiple IP addresses on your Exchange server, binding each IP address to a different certificate.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now