Exchange 2010: How to set up certificates for OWA/Autodiscover, and TLS between SMTP servers, and Edge Subscription?

Hi there. We have a two server Exchange 2010 set up: One internal server that is the Client Access and Hub Transport and an external server that is our Edge.

We have an SSL certificate from a public CA we want to present when users log in to OWA/Autodiscover/etc. We would also like to have TLS connections using an SSL cert between external SMTP servers and of course, a cert is needed to handle the Edge subscription between Edge and the Hub.

When trying to use the same certificate for these use cases, Exchange will throw an error saying: "Sharing the same certificate between Edge and Hub Transport servers is not allowed."

What's not clear from searching around is what the best practice is here: Use a public CA cert for OWA/Autodiscover/etc., and use a self-signed for SMTP/TLS? Wouldn't it be advantageous to use a public CA cert for SMTP connections between external SMTP servers? Should we buy two certs then for this case?

Thanks in advance!
LVL 1
GonthaxAsked:
Who is Participating?
 
viktor grantExchange ServersCommented:
Hi,

You cannot use the same certicate.  So you will need to enable your self signed certificate for SMTP service and then recreate the edge subscription. And you should use the certificate from external CA for IIS service.

Cheers
Viktor
0
 
viktor grantExchange ServersCommented:
Hi,

You receive this error when you try to create the Edge Susbcription ( "Sharing the same certificate between Edge and Hub Transport servers is not allowed.") ?

Cheers
0
 
GonthaxAuthor Commented:
Hi Viktor,

Yes, that's correct. Thanks!
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
GonthaxAuthor Commented:
Thanks, Viktor - self-signed certificates are OK for communication between external SMTP servers (meaning our server connecting to a foreign SMTP server)? They're implicitly trusted? Thanks!
0
 
viktor grantExchange ServersCommented:
Hi,

Exactly! Perfect that the issue is solved
0
 
GonthaxAuthor Commented:
Thank you Viktor for your help - I'm surprised self-signed certificates are ok for such use, but it seems to work. Cheers!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.