Install 2 SSL certs in 1 Exchange mail server

Dear Wizards, Can I use 2 SSL certificates of 2 different domains for 1 Exchange 2016 mail server?

We have problem here: https://www.experts-exchange.com/questions/29091045/SSL-warning-in-autodiscover-service-of-Exchange-2016.html and trying to add SSL of new-domain.com to old-domain.com Exchange server.

Is it possible and which service should we assign for new SSL?
Many thanks.
LVL 5
DP230Network AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Do you have more than a single IP?
If not, a certificate UCC that gas multiple..
Use a SAN certificate which includes both domains
DNS=mail.domain1.com
DNS=mail.domain2.com
DNS=autodiscover.domain1.com
DNS=autodiscover.domain2.com
DNS=OWA.domain1.com
DNS=OWA.domain2.com
Etc..

If you have multiple public IPs you could setup connections inbound for each domain and attach the respective certificate...... To each connector.
0
Jose Gabriel Ortega CastroCEOCommented:
The point is that you just can't have 2 SSL active at the same time for multiple domains in an Exchange server.

What you need is an SSL that can have 2 or more SAN (Subject Alternative Names) 1 for each domain and you would need 2 SANs for domain

domainA.com
Records are:
  1. mail.domainA.com
  2. autodiscover.domainA.com

domainB.com
[list=2]mail.domainB.com
autodiscover.domainB.com[/list]

So you need an SSL that contains BOTH domains and 4 SSL in total

1.pngso 1 of  5 SAN would be enough for your purposes.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DP230Network AdministratorAuthor Commented:
Hi,

@arnord: No, my Exchange server has only 1 public IP address, the problem appeared when we configured Accepted domain in Exchange server (so that users could use new domain instead of old one)

@ Jose: in case both of these 2 domains need wildcard SSL, is this possible to combine them to only one SSL?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jose Gabriel Ortega CastroCEOCommented:
It's possible but also is more expensive.
for example
https://comodosslstore.com/multi-domain-wildcard-ssl.aspx
0
DP230Network AdministratorAuthor Commented:
Hi,  it said that "By default, this product will secure 2 wildcard domains (for example: *.yourdomain.com and *.domain.com) and must have a non-wildcard domain (for example: yourdomain.com) listed as the base domain, or Common Name"

ssl.JPG
As my understanding, a non-wildcard domain should be different (for example: theotherdomain.com) from those 2 wildcard domains, am I right? Because the total is 3? I'm confusing with the note on the website :(
0
nociSoftware EngineerCommented:
@Jose Gabriel Ortega C:   Multiple certificates CAN be used on a single listening instance IF SNI is used.
SNI uses a public readable field in the negotiation header to select the right certificate.
No the non wildcard domain can be one of the domains...

f.e. yourdomain.com with SAN (Subject alternate Names)  *.yourdomain.com and  *.otherdomain.com
0
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
You can't have more than one certificate bound to an IP:Port combination on a server.  For example, you could have a cert with domain-.com bound to :443, and you could have a very with domain-b.com bound to :25, but if you wanted both domain-a.com and domain-b.com bound to both :443 and :25, they would need to be on the same certificate.  You can get a UC or SAN very if you have multiple names belonging to one or more domains, or a wildcard certificate if you have multiple names belonging to the same domain.
1
Jose Gabriel Ortega CastroCEOCommented:
Well noci, Aaron explained better. No need to add anything.
0
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
Sorry, phone autocorrect.  "very" should be "Cert." :-)
0
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
In the end, you could technically get away with as little as 2 domain names bound to your certificate (autodiscover.domain1.com and autodiscover.domain2.com), which is what your Outlook clients will use.  You really don't need any others.  You can add other names (such as owa.domain1.com and owa.domain2.com or mail.domain1.com and mail.domain2.com) if you want to give a simpler or more meaningful name to your end-users.

For the most part, wildcard certificates only to be used for Exchange are a waste of money.  A UC cert with the minimum number of names is much more reasonable.
0
nociSoftware EngineerCommented:
@Jose, Aaron, i run no Exchange server, i do have a NGINX web server that has 8 different certificates all on port 443.
I have haproxy dispatch to various servers WITHOUT terminating the connection, there are no certificates for the services on the haproxy server).
This is all based on SNI from TLS.   Using Haproxy (opensource tool) one CAN terminate 2 (or more) connections all on ONE port, and connect to different backends (can be the same server,  with different ports if needed).
Question is does the SSL connection use SNI.  (Server Name Indication).
0
Jose Gabriel Ortega CastroCEOCommented:
Noci, this is a "windows" environment not a "UNIX" one. if unix can have more than one that's one thing but a totally different thing is how windows works. sorry bud but we are talking about an exchange server under windows.
0
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
Yes, you can bind multiple certs with SNI, but not in this case.  IIS8 supports SNI, but the client interfaces for connecting to consume the services aren't able to use it.  As far as I know, the product group doesn't support using SNI, so in this context, Windows/IIS/Exchange is limited to the one certificate per IP:port.
0
DP230Network AdministratorAuthor Commented:
Hi, so we can use a multiple-domain wildcard SSL cert to solve my problem, am I right? And I need to replace an old SSL with it? Can you confirm?
0
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
Ultimately, yes.  

If you must have all of those server and domain names, I'd just recommend a UC certificate.  They support many names (I've gotten them with 15 or 20 names before).  Two wildcards bound to a SAN certificate will most likely very expensive.  I saw you posted a link to Comodo certificates; they were compromised a few years back, so a lot of browser vendors yanked their root certificates.  It depends how many names you want on your certificate to determine which is the most cost-effective solution.

You can check around; it will probably be in the $300/wildcard cert domain/year (so, maybe $600-700 for two wildcard domains) for a CA like GoDaddy, and closer to $500/year for a CA vendor like GeoTrust, and then $2,000/domain/year per server for a CA like Symantec.
0
DP230Network AdministratorAuthor Commented:
No, not only for Exchange server, we also have some websites and sub-domains for internal apps. So a wildcard should be suitable?
0
nociSoftware EngineerCommented:
Comodo redeemed itself  by taking appropriate action, and revoking all error certificates, within hours after the breach was discovered.
Diginotar tried to hide they were brokeinto a few times, they were yanked from the certificate store.
StartSSL  (& WoSign)  made huge blunders with issuing same certificate serial numbers with different certificates and had no explanation.
After this was noted they were asked for how they handled the issue, no satisfactory answers were given (instead more errors were found)  before the deadline and they got yanked last year.
0
Jose Gabriel Ortega CastroCEOCommented:
@13L@CK_H3@RT, that was my answer. wasn't it?
the answer is yes. You are the only one that can say if it would worth the money or not depending on the number of sites and services that would use the wildcard multidomain certificate.
0
Aaron GuilmetteTechnology Solutions ProfessionalCommented:
If you price it out and it's a good value for usage, then sure.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.