• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 78
  • Last Modified:

Do I need UCC Certificate?

I'm trying to understand when I need to purchase a UCC certificate.  From my understanding so far, I only need UCC certificate only if I need to secure multiple domains correct?  What if I need certificate for an Exchange server and also for RDP access?  For example, mail.domain.com and remote.domain.com.  This is still one domain but multiple sub-domain if I am correct.  Pls advise, thanks.
0
Soho_Dan
Asked:
Soho_Dan
3 Solutions
 
ITguy565Commented:
Multi-domain SSL Certificates are certificates that secure multiple domains and multiple hostnames within a domain. They are commonly referred to as Unified Communications Certificates (UCC). UC Certificates are ideal for Microsoft® Exchange Server 2007, Exchange Server 2010, and Microsoft Live® Communications Server because they allow you to secure a primary domain, and up to 99 additional Subject Alternative Names (SAN), in a single UC Certificate.

UCC certs allow you to use a single ssl certificate in a shared host environment so they are also ideal in situations where the number of ip addresses are limited such as in a cloud presence (for example Amazon EC2 or Rackspace cloud). For instance, if you have 10 sites with differing domains or host names, and only one ip address to use among them and you want them to have ssl digital certificate protection, then a multi domain ucc ssl certificate is ideal for this situation.

In a shared hosting environment, the UC Certificate "Issued To" will only list the primary domain (but the site seal can list the remaining domains in the SAN). Please be aware that any other or secondary domains will be listed in the UCC SSL certificate as well. If you do not want domains or sites to appear related to each other via the ssl certificate details, then this is something that you should factor in when ordering a multi domain ssl certificate.

http://info.ssl.com/article.aspx?id=12157
0
 
Jeff GloverSr. Systems AdministratorCommented:
A UCC certificate can secure multiple domains, multiple host names in a domain or a combination of both. In theory, in your case above, you could use a Wildcard certificate but it will cost more and in my experience, may give you troubles with Exchange if you are trying to use other services in your domain like Skype for Business

Exchange works better with a SAN certificate since you normally have multiple hostnames on the certificate. (mail, autodiscover, etc....)
0
 
btanExec ConsultantCommented:
As the expert mentioned, it is for multiple domain. The specific is any number of different domain names can be included in the SAN field of the certificate enabling the certificate to work on any of the included domain names. For example, you could get one UC SSL Certificate to cover all of the following:

mydomain.com
mail.mydomain.com
autodiscover.mydomain.com
anotherdomain.com

Normally most opt for UCC as it can provide significant cost savings in many situations. For e.g. for certain features in Microsoft's Exchange Server, Office Communications Server, and Live Communications Server.

Likewise for the remote gateway use case, you could have a UCC Cert like this:

Main Domain: remote.mypublicdomain.com
Secondarys: remote.mydomain.local
                      rdsh11.mydomain.local
                      rdsh12.mydomain.local
                      rdsh13.mydomain.local

Operationally to track and renew the certificate will also be more streamline.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
MAS (MVE)Technical Department HeadCommented:
Hi Soho_Dan,
If you have only one domain in Exchange server and one subdomain for RDP. You need below names.
1. mail.externalname.com (commonname)
2. autodiscover.externalname.com
3. rdpaccess.externalname.com

Please check these articles for the configuration and need of SANs in the certificate.
https://www.experts-exchange.com/articles/29657/Exchange-2010-Fix-for-an-Invalid-certificate-and-related-issues.html
https://www.experts-exchange.com/articles/29662/Exchange-2013-Fix-for-an-Invalid-certificate-and-related-issues.html
0
 
Sanjay BFull Time Digital Marketing & Part Time Cyber security Knowledge seekerCommented:
An UCC SSL Certificate is the best solution to protect multiple domains including your exchange server. You can protect Microsoft Exchange, Microsoft Office Communications Server and Multiple domains and sub-domains.

A UC certificate can protect different domains, for example:
www.example.com
www.example2.com
www.example3.net
mail.example.net
exchange.example2.com

I found an article about UCC SSL, Just check it now.
0
 
shalomcCTOCommented:
Let's look at your business needs.
If your organization has multiple email domains due to brand protection  or mergers, you may end up needing to protect a list like this:

mail.organization-a.com
mail.organization-b.com
mail.organization-c.com
www.organization-a.com
www.organization-a.net
rdp.organization-a.com

This list should be protected with a UCC/SAN certificate. The same certificate can be used on multiple servers and services, be it Exchange, web, or any other.  

On the other hand, your list of domains to protect may look like this:
www.organization-a.com
blog.organization-a.com
www-staging-1.organization-a.com
www-qa-1.organization-a.com
www-dev-1.organization-a.com
www-dev-1-1.organization-a.com
www-dev-2.organization-a.com
api-staging.organization-a.com
api-dev-john.organization-a.com
monkey-wrench.organization-a.com

These are all single level subdomains of organization-a.com, it seems like the list is dynamic, and should be protected by a wildcard certificate.

There is a way to combine both types of certificates, and it is a wildcard SAN. Basically a SAN that contains a list of wildcard domains. This is usually a special request and not on the CA menu, but definitely possible. Although expensive..
0
 
Soho_DanAuthor Commented:
Thanks for the info.
0
 
MAS (MVE)Technical Department HeadCommented:
Enough information to confirm answer.
0
 
Soho_DanAuthor Commented:
Thank you everyone for the info.  Sorry it took me so long to close this case.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now