Link to home
Start Free TrialLog in
Avatar of keith li
keith liFlag for Hong Kong

asked on

SSL Certificate for Exchange 2016 with Office 365 hybrid configuration

Dear All

                 Before running the hybrid configuration wizard, I need to configure exchange certificate, but I already issued an ssl certificate for ADFS server with the same domain, if I register another ssl certificate for exchange server it said my domain already been issued for this domain, can I import the same cert that I received for the ADFS to the exchange ?


Keith
Avatar of timgreen7077
timgreen7077

You will need another cert for exchange because the name space on your ADFS cert may not contain the name spaces you need for your exchange server. for exchange you will need the autodiscover.domain.com, and mail.domain.com name spaces and those most likely are not on the cert you used for ADFS. Get an additional UCC SAN cert for exchange and apply to exchange if you currently dont have a valid cert installed on exchange.
Avatar of keith li

ASKER

In this case do I need multi domain ssl certificate type or wildcard ? Is there any trial one can try ?
I have had a wildcard in my Exchange environment for years without any issues. I know that it not the best practice, but it works.

If you have more than 5 more URL's it will be more cost effective to get a wildcard vs a SAN cert. If you only have your Exchange to address I would go with then. SAN cert being that is the recommend method.

As Tim stated the cert is tied to the namespace. So if you have 20 different Web addresses you would need 20 different certain unless you have a reverse proxy gateway host all your namespaces.
I would not suggest a wild card. Get a UCC SAN (multi domain) cert for exchange. Its easier to work with in regards to exchange and its also the recommended cert. There are no trial certs, but there are free ones but I have never used them. The UCC cert is all you will need. It allows up to 5 names for a basic UCC cert and your exchange most likely only have 2-3 names spaces.
SANs may contain more than 5 SAN: check let’s encrypt ones
https://community.letsencrypt.org/t/limit-on-number-of-domain-in-san/3166/7

Also digicert allows for a greater number of SANs: just can’t find the reference now but I have created Digicert certs with more than 10 SANs.
Yes you can purchase a SAN cert that contains more than 5 but 5 is the minimum is what I was saying. you shouldn't need to purchase a SAN cert for more that for exchange 2016
Which SAN would you use, can anyone recommend me one
I used godaddy, but there are many others.
As long as they are trusted Root Authority they are all good.
In my case I should need UCC SAN cert ? For the exchange can i still register UCC SAN cert from comodo as I already registered for ADFS last week


ADFS ssl "sts.abc.com". <-- registered from comodo

Exchange ssl "mail.abc.com"
yes you can still get the cert from comodo. it is a 3rd party certificate authority so you will be fine.
of course you will need to create a CSR on your exchange server and submit it to Comodo.
To add to Tim's reply and to repeat one of my prior comments.

You are not limited to a certain number of certs with a 3rd party public cert issuer. Your certs namespace will need to match the URL. (e.g.  mail.contoso.com, autodiscover.contoso.com, www.contoso.com, adfs.contoso.com).

There is a wizard in exchange 2010 EMC that helps you create a CSR for SAN cert

https://m.youtube.com/watch?v=FN1ZMZFpvZc
https://m.youtube.com/watch?v=vzHtJ33cIng

https://www.digicert.com/subject-alternative-name.htm
Hi yo bee
 
   Thanks for your information it's very useful, and I have a question, I have a ADFS server will ssl imported to it from comobo, but in the certificate property, for altnative  dns name I didn't not put "mail.abc.com" for exchange server, I only put "sts.abc.com" in this case should I apply a new ssl certificate for both dns name ? If I do it in this way I can use the same certificate to import to the ADFS and exchange server ? Whereas I leave the ADFS server and I register another ssl certificate from rapidssl.com for exchange server ? Please advise


Keith
you have to register a new cert for exchange. if you attempt to use the same cert you have for ADFS, you will have to completely start over with obtaining an ADFS cert so you will need a new CSR generated and everything and apply a new cert to ADFS. get a new cert for exchange and dont bother the the ADFS cert.
The Cert for ADFS is completely independent from your Exchange certs.  Think like ADFS is not even in your environment.   You are getting very confused by this being in the mix right now.

Your CSR for your ADFS is totally independent from your Exchange CSR.

Create your CSR SAN for your Exchange server with the correct DNS= name that you have published and request the cert from your third party root CA.

Apply the cert to your Exchange and you should be all set.
Also if you change the cert on your ADFS any things that has been registered with this service will need to be reconfigured and setup to trust this newly issued cert.  
I assume that your ADFS is working properly and if so I would not mess with the cert tied to this.  
Exchange has the Cert Wizard that will guild you through the steps to create a SAN cert.  The video I posted shows you how to create a SAN cert outside of the Exchange Wizard.  

Either method will work.  
Since you already have an issued Cert from Comodo I would just create a new CSR from your Exchange server or from the method in the video I posted and purchase a Unified Communication SSL Certificate - 4 SAN included from them. https://comodosslstore.com/comodo-ucc-ssl.aspx
i have tried to apply a new ssl from comodo for exchange, it said the domain that i register is already exist, i believe i have applied ADFS for the same domain before, any idea ? or i can apply the ssl from other 3rd party root CA ?
let's say you have idp.contoso.com as FQDN (common name) for your ADFS certificate.
You will need to register let's say mail.contoso.com, autodiscover.controso.com.
Namespace won't overlap. What is your exact use case? specify FQDNs you're trying to protect with certificates (using contoso.com as a base domain) so that we are able to better understand your issue.
My case is I have a sts.abc.com as name space for ADFS, and I have registered an office 365 account, I'm planning to migrate my exchange 2016 to office 365, before the hybrid migration I need to have ssl certificate for  exchange 2016
Like I said your ADFS is completely independent from your Exchange and you should really stop even thinking about your ADFS as I stated in my prior comment.

Keep the current ADFS cert for your ADFS server and create a new CSR from your your Exchange server or follow the instructions in the video I posted. Once you receive the new exchange cert apply it to your Exchange CAS and you should be all set.
ADFS cert is purely used between the federated handshake and not the Exchange. You need the proper cert name for your Exchange (not the same as your ADFS).
yes understand, I'm going to apply another ssl for exchange in comobo, but it said the certificate already been issued for this domain, and I tried to apply the ssl in raipidssl.com, it lets me to register but I have to wait for them to approve


User generated image
User generated image
Do you have any history logs on comondo. You must have a common name in the cert that is exact match to one that has been issued.

Are you able to confirm this. You might want to reach out to the support team on Comondo.
Did you request a TRIAL CERTIFICATE?  That is what the error message is sayings the error is.
Yes I was using a trial one for my ADFS server as this is my testing lab
ASKER CERTIFIED SOLUTION
Avatar of yo_bee
yo_bee
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What did you ultimately purchase?