Exchange 2010 SAN Certificate

I'm in the process of reviewing and updating or current SAN certificate.  Currently listed in the SAN certificate are all the autodiscover records for all of our email domain,  The web addresses for OWA , and both of our CAS servers FQDN one in each AD site.

What needs to be included in the Exchange 2010 SAN certificate?  For some of the autodiscover records I'd like to move away from creating SRV records and setup the SAN certificate correctly unless we approach the domain limit for the SAN certificate.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
What you have listed is what I would include, UNLESS your internal names are .local or something that doesn't resolve on the internet.
That is because on trusted SSL certificates that expire past November 2015, you cannot have internal host names (or NETBIOS or IP addresses). Therefore you might have to adjust the naming conventions used internally.

With regards to Autodiscover, you need to cover Autodiscover for each domain where users have the domain as their PRIMARY email address. If it is just a secondary address then it doesn't need to be in Autodiscover.
With regards to the limit, my own site sells certificates with up to 100 slots on them, so if you want to go down the route of having lots of names on the certificate, that isn't a problem.

The other option is a second IP address and web site and use the redirect method. That is what most major hosted Exchange providers will do, as it doesn't require SRV record support (Which isn't available with all DNS providers).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
georgedschneiderAuthor Commented:
If I was planning on adding additional CAS servers and creating a CAS array I would need each of them added as well then?   Why are the CAS servers internal names needed on the SAN certificate?
Simon Butler (Sembee)ConsultantCommented:
You don't need the CAS array in the SSL certificate, because the CAS array address
- should only be used for MAPI traffic, nothing else.
- should not resolve on the internet, so is ineligible.

If you have your DNS setup correctly and are using a load balancer, then you don't need to put the internal server names on the SSL certificate.
However if you are using multiple CAS role servers then you should either have a unique name for each server (so you can bypass any load balancer) or be prepared to use hosts files to ensure the traffic goes where you want during troubleshooting.

Also remember that if you have multiple AD sites then you will need to have a unique host name for each AD site for internal Autodiscover.

georgedschneiderAuthor Commented:
If we are using multiple CAS servers each server should be included in the SAN certificate.  

We currently have 1 CAS server in each site which I have in our current SAN certificate.  The plan is to add an additional CAS server for redundancy.  Eventually a hardware load balancer will be introduced which I would just include this in the SAN cert instead of the CAS server.  In the meantime until implemented would i need to include all the servers behind the array or if i ever needed to bypass the load balancer for whatever reason.
Simon Butler (Sembee)ConsultantCommented:
If you have multiple CAS then you have two options.

1. A single SAN certificate with all of the names on it. That certificate is then used on all of the servers.
2. A single SAN certificate on whatever server will accept the Autodiscover traffic from outside. All other servers have a single name certificate on them, with the appropriate DNS settings internally and externally.

The load balancer can use an existing common name, but remember it is still site specific.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.