Install 2 SSL certs in 1 Exchange mail server

Do you have more than a single IP?
If not, a certificate UCC that gas multiple..
Use a SAN certificate which includes both domains
DNS=mail.domain1.com
DNS=mail.domain2.com
DNS=autodiscover.domain1.com
DNS=autodiscover.domain2.com
DNS=OWA.domain1.com
DNS=OWA.domain2.com
Etc..

If you have multiple public IPs you could setup connections inbound for each domain and attach the respective certificate...... To each connector.

Hi,

@arnord: No, my Exchange server has only 1 public IP address, the problem appeared when we configured Accepted domain in Exchange server (so that users could use new domain instead of old one)

@ Jose: in case both of these 2 domains need wildcard SSL, is this possible to combine them to only one SSL?

It's possible but also is more expensive.
for example
https://comodosslstore.com/multi-domain-wildcard-ssl.aspx

Hi,  it said that "By default, this product will secure 2 wildcard domains (for example: *.yourdomain.com and *.domain.com) and must have a non-wildcard domain (for example: yourdomain.com) listed as the base domain, or Common Name"


As my understanding, a non-wildcard domain should be different (for example: theotherdomain.com) from those 2 wildcard domains, am I right? Because the total is 3? I'm confusing with the note on the website :(

@Jose Gabriel Ortega C:   Multiple certificates CAN be used on a single listening instance IF SNI is used.
SNI uses a public readable field in the negotiation header to select the right certificate.
No the non wildcard domain can be one of the domains...

f.e. yourdomain.com with SAN (Subject alternate Names)  *.yourdomain.com and  *.otherdomain.com

You can't have more than one certificate bound to an IP:Port combination on a server.  For example, you could have a cert with domain-.com bound to :443, and you could have a very with domain-b.com bound to :25, but if you wanted both domain-a.com and domain-b.com bound to both :443 and :25, they would need to be on the same certificate.  You can get a UC or SAN very if you have multiple names belonging to one or more domains, or a wildcard certificate if you have multiple names belonging to the same domain.

Well noci, Aaron explained better. No need to add anything.

Sorry, phone autocorrect.  "very" should be "Cert." :-)

@Jose, Aaron, i run no Exchange server, i do have a NGINX web server that has 8 different certificates all on port 443.
I have haproxy dispatch to various servers WITHOUT terminating the connection, there are no certificates for the services on the haproxy server).
This is all based on SNI from TLS.   Using Haproxy (opensource tool) one CAN terminate 2 (or more) connections all on ONE port, and connect to different backends (can be the same server,  with different ports if needed).
Question is does the SSL connection use SNI.  (Server Name Indication).

Noci, this is a "windows" environment not a "UNIX" one. if unix can have more than one that's one thing but a totally different thing is how windows works. sorry bud but we are talking about an exchange server under windows.

Yes, you can bind multiple certs with SNI, but not in this case.  IIS8 supports SNI, but the client interfaces for connecting to consume the services aren't able to use it.  As far as I know, the product group doesn't support using SNI, so in this context, Windows/IIS/Exchange is limited to the one certificate per IP:port.

Hi, so we can use a multiple-domain wildcard SSL cert to solve my problem, am I right? And I need to replace an old SSL with it? Can you confirm?

Ultimately, yes.  

If you must have all of those server and domain names, I'd just recommend a UC certificate.  They support many names (I've gotten them with 15 or 20 names before).  Two wildcards bound to a SAN certificate will most likely very expensive.  I saw you posted a link to Comodo certificates; they were compromised a few years back, so a lot of browser vendors yanked their root certificates.  It depends how many names you want on your certificate to determine which is the most cost-effective solution.

You can check around; it will probably be in the $300/wildcard cert domain/year (so, maybe $600-700 for two wildcard domains) for a CA like GoDaddy, and closer to $500/year for a CA vendor like GeoTrust, and then $2,000/domain/year per server for a CA like Symantec.

No, not only for Exchange server, we also have some websites and sub-domains for internal apps. So a wildcard should be suitable?

Comodo redeemed itself  by taking appropriate action, and revoking all error certificates, within hours after the breach was discovered.
Diginotar tried to hide they were brokeinto a few times, they were yanked from the certificate store.
StartSSL  (& WoSign)  made huge blunders with issuing same certificate serial numbers with different certificates and had no explanation.
After this was noted they were asked for how they handled the issue, no satisfactory answers were given (instead more errors were found)  before the deadline and they got yanked last year.

@13L@CK_H3@RT, that was my answer. wasn't it?
the answer is yes. You are the only one that can say if it would worth the money or not depending on the number of sites and services that would use the wildcard multidomain certificate.

If you price it out and it's a good value for usage, then sure.