Link to home
Start Free TrialLog in
Avatar of Matthew Cioffi
Matthew CioffiFlag for United States of America

asked on

Certificates for Exchange 2010

Hello everyone,

I'm outside my comfort zone here with certificates.  It is not something I have had deal with very often.  So I may be asking some very basic questions confuddled by my lack of knowledge.

In Exchange server config there are several certs listed.  Some are self-signed TRUE and a couple FALSE.  That is confusing as we never purchased anything.  They should all be self-signed.  I tried to renew one of the certs but it kept asking for the REQ file.  I did not have one.  The instructions I found on TECHNET did not indicate how to generate this file.

I created a new cert than assigned all the services to it.  Outlook is still having issues.  Some iPhones seem to be having issues.  

So what I would like to do is start clean if possible.  Can I shutdown exchange for a short time, remove all certs and create new self-signed certs for internal and external connections?  3rd party for external will be expensive for us.  I have been told we need a wildcard, UCC cert, this will be 565 a year if we purchase it for 3 years.  That is more than the business owner wants to spend right now.  I would prefer getting a 3rd party cert but we have been using the original self signed ones since exchange was configured.

So I need help to make sure Exchange is configured properly, the certs work for mobile devices and for internal exchange.  Should we change the external DNS to something else and configure the phones differently?  I'm willing to make those changes if it will solve the bulk of our issues.

I understand this is probably a lot or work, but I need to get this all setup correctly so I can figure out if there another issues happening as well.
ASKER CERTIFIED SOLUTION
Avatar of M A
M A
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Certificates are actually pretty simple in Exchange. They are either assigned to services or they aren't. The certificate that is used by Exchange should have the IIS, SMTP, POP, and IMAP services assigned to it. Only one certificate can have all services assigned to it, and the others can be removed.

In regards to using a UCC/SAN certificate, this is not *required* for Exchange. You can use a certificate with a single name, you just have to change the way autodiscover's DNS records are configured. Specifically, you can change from using an autodiscover.domain.com record for Autodiscover to using a SRV record. https://acbrownit.com/2012/12/20/internal-dns-and-exchange-autodiscover/ explains why and how to use this. If you use a SRV record, it allows Autodiscover to look up the settings using mail.domain.com instead of autodiscover.domain.com (which is a default). This will result in significantly less work for you, because using a self-signed certificate will result in an error message every time users open Outlook, which can only be removed by installing the Self-Signed Certificate as a Trusted Root Authority certificate on each client computer that connects to Exchange (This is a lot of work, especially if people are allowed to connect using outlook on non-domain computers).
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Matthew Cioffi

ASKER

-MAS was on the right track, I had additional issues that had to be resolved along the way.