Multiple UCC SSL certificates on MS Exchange 2010

I have an  Exchange 2010 server that is currently hosting one authoritative domain. For this domain we also have a UCC SSL certificate.  I want to add another authoritative domain.  How can I add a second UCC SSL certificate so the each domain can use their own secured website to access the Exchange server?
David BarmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Costas GeorgiouNetwork AdministratorCommented:
Unless the exchnage is in hosted mode you will have to use the primary domain SSL.

The reason why i say that is because for authentication purposes you still have to use the local domain credentials anyway.

Also it depends on the scenario which meets our requirement.

The SSL is associated with the IIS directory which can only have one certificate associated with it.
0
David BarmanAuthor Commented:
I am not familiar with hosted mode. Can you explain?

IIS is limited to one certificate?
0
Costas GeorgiouNetwork AdministratorCommented:
Sorry What i meant was one SSL for Exchange to use with IIS

We offer similar solution to our clients where we host few domains.

What i have done is created  a domain called hosted.local and all the clients can use the same domain for authentication and a SSL certificate for a domain that i created called hosted.sbc.com

By creating a separate database for Hosted i am able to isolate them from the address list for internal business.

Does that work for you?

Can you advise if the second domain is for external client that you are adding or for internal use only?

Sorry for amateur answers as i am trying to figure out what you are trying to achieve and what your limitations or security concerns are ?
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Simon Butler (Sembee)ConsultantCommented:
The whole point of having a UCC certificate is to allow different domains to be listed on the certificate.
Therefore if you have mail.example.com as the common name, you can add mail.example.net as an additional name. Users can browse to mail.example.net and get connected without any errors.
Only if they open the SSL certificate properties would they see the common name.

However, even if you were to put a second certificate on to the server, you are not going to be able to hide the common name. You have to configure URLs within Exchange which will correct the browser or device to use the preferred name. Even if you add an additional IIS web site, or server, if they are in the same Exchange org, it is one URL for all users.

What you haven't said is what connection this second domain is to your business.
If it is just an additional subsidiary, then you are fine. If it is a client then you are breaking the terms of your licence agreement. You would need to be on a Microsoft licence scheme for hosting providers.

Simon.
0
David BarmanAuthor Commented:
It's for a sister company that we acquired.
0
David BarmanAuthor Commented:
Is it possible to keep the GALs separate by using different databases?
0
David BarmanAuthor Commented:
If I added the other domain name to the certificate, will that allow them to use their domain to access the server either via owa, activesync, or Outlook via rcp over https?
0
Simon Butler (Sembee)ConsultantCommented:
If you add their domain to the certificate, they will initially use their own name. However it will be corrected to the name as configured on the URLs within Exchange by Autodiscover. It isn't possible to have different URLs for different users unless the servers are separate and in separate active directory sites.

Databases don't separate the GALs. You need to look at Address Book Policies.

Simon.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David BarmanAuthor Commented:
But the url will automatically change?
0
Simon Butler (Sembee)ConsultantCommented:
Yes, it will.
That is done by Exchange and Autodiscover automatically. Nothing you can do to stop that.

Simon.
0
David BarmanAuthor Commented:
Thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.