SSL Certificate for Exchange 2016 with Office 365 hybrid configuration

Dear All

                 Before running the hybrid configuration wizard, I need to configure exchange certificate, but I already issued an ssl certificate for ADFS server with the same domain, if I register another ssl certificate for exchange server it said my domain already been issued for this domain, can I import the same cert that I received for the ADFS to the exchange ?


Keith
piaakitAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
You will need another cert for exchange because the name space on your ADFS cert may not contain the name spaces you need for your exchange server. for exchange you will need the autodiscover.domain.com, and mail.domain.com name spaces and those most likely are not on the cert you used for ADFS. Get an additional UCC SAN cert for exchange and apply to exchange if you currently dont have a valid cert installed on exchange.
1
piaakitAuthor Commented:
In this case do I need multi domain ssl certificate type or wildcard ? Is there any trial one can try ?
0
yo_beeDirector of Information TechnologyCommented:
I have had a wildcard in my Exchange environment for years without any issues. I know that it not the best practice, but it works.

If you have more than 5 more URL's it will be more cost effective to get a wildcard vs a SAN cert. If you only have your Exchange to address I would go with then. SAN cert being that is the recommend method.

As Tim stated the cert is tied to the namespace. So if you have 20 different Web addresses you would need 20 different certain unless you have a reverse proxy gateway host all your namespaces.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

timgreen7077Exchange EngineerCommented:
I would not suggest a wild card. Get a UCC SAN (multi domain) cert for exchange. Its easier to work with in regards to exchange and its also the recommended cert. There are no trial certs, but there are free ones but I have never used them. The UCC cert is all you will need. It allows up to 5 names for a basic UCC cert and your exchange most likely only have 2-3 names spaces.
0
MichelangeloConsultantCommented:
SANs may contain more than 5 SAN: check let’s encrypt ones
https://community.letsencrypt.org/t/limit-on-number-of-domain-in-san/3166/7

Also digicert allows for a greater number of SANs: just can’t find the reference now but I have created Digicert certs with more than 10 SANs.
0
timgreen7077Exchange EngineerCommented:
Yes you can purchase a SAN cert that contains more than 5 but 5 is the minimum is what I was saying. you shouldn't need to purchase a SAN cert for more that for exchange 2016
0
piaakitAuthor Commented:
Which SAN would you use, can anyone recommend me one
0
yo_beeDirector of Information TechnologyCommented:
I used godaddy, but there are many others.
0
yo_beeDirector of Information TechnologyCommented:
As long as they are trusted Root Authority they are all good.
0
piaakitAuthor Commented:
In my case I should need UCC SAN cert ? For the exchange can i still register UCC SAN cert from comodo as I already registered for ADFS last week


ADFS ssl "sts.abc.com". <-- registered from comodo

Exchange ssl "mail.abc.com"
0
timgreen7077Exchange EngineerCommented:
yes you can still get the cert from comodo. it is a 3rd party certificate authority so you will be fine.
0
timgreen7077Exchange EngineerCommented:
of course you will need to create a CSR on your exchange server and submit it to Comodo.
0
yo_beeDirector of Information TechnologyCommented:
To add to Tim's reply and to repeat one of my prior comments.

You are not limited to a certain number of certs with a 3rd party public cert issuer. Your certs namespace will need to match the URL. (e.g.  mail.contoso.com, autodiscover.contoso.com, www.contoso.com, adfs.contoso.com).

There is a wizard in exchange 2010 EMC that helps you create a CSR for SAN cert

https://m.youtube.com/watch?v=FN1ZMZFpvZc
https://m.youtube.com/watch?v=vzHtJ33cIng

https://www.digicert.com/subject-alternative-name.htm
0
piaakitAuthor Commented:
Hi yo bee
 
   Thanks for your information it's very useful, and I have a question, I have a ADFS server will ssl imported to it from comobo, but in the certificate property, for altnative  dns name I didn't not put "mail.abc.com" for exchange server, I only put "sts.abc.com" in this case should I apply a new ssl certificate for both dns name ? If I do it in this way I can use the same certificate to import to the ADFS and exchange server ? Whereas I leave the ADFS server and I register another ssl certificate from rapidssl.com for exchange server ? Please advise


Keith
0
timgreen7077Exchange EngineerCommented:
you have to register a new cert for exchange. if you attempt to use the same cert you have for ADFS, you will have to completely start over with obtaining an ADFS cert so you will need a new CSR generated and everything and apply a new cert to ADFS. get a new cert for exchange and dont bother the the ADFS cert.
1
yo_beeDirector of Information TechnologyCommented:
The Cert for ADFS is completely independent from your Exchange certs.  Think like ADFS is not even in your environment.   You are getting very confused by this being in the mix right now.

Your CSR for your ADFS is totally independent from your Exchange CSR.

Create your CSR SAN for your Exchange server with the correct DNS= name that you have published and request the cert from your third party root CA.

Apply the cert to your Exchange and you should be all set.
1
yo_beeDirector of Information TechnologyCommented:
Also if you change the cert on your ADFS any things that has been registered with this service will need to be reconfigured and setup to trust this newly issued cert.  
I assume that your ADFS is working properly and if so I would not mess with the cert tied to this.  
Exchange has the Cert Wizard that will guild you through the steps to create a SAN cert.  The video I posted shows you how to create a SAN cert outside of the Exchange Wizard.  

Either method will work.  
Since you already have an issued Cert from Comodo I would just create a new CSR from your Exchange server or from the method in the video I posted and purchase a Unified Communication SSL Certificate - 4 SAN included from them. https://comodosslstore.com/comodo-ucc-ssl.aspx
1
piaakitAuthor Commented:
i have tried to apply a new ssl from comodo for exchange, it said the domain that i register is already exist, i believe i have applied ADFS for the same domain before, any idea ? or i can apply the ssl from other 3rd party root CA ?
0
MichelangeloConsultantCommented:
let's say you have idp.contoso.com as FQDN (common name) for your ADFS certificate.
You will need to register let's say mail.contoso.com, autodiscover.controso.com.
Namespace won't overlap. What is your exact use case? specify FQDNs you're trying to protect with certificates (using contoso.com as a base domain) so that we are able to better understand your issue.
0
piaakitAuthor Commented:
My case is I have a sts.abc.com as name space for ADFS, and I have registered an office 365 account, I'm planning to migrate my exchange 2016 to office 365, before the hybrid migration I need to have ssl certificate for  exchange 2016
0
yo_beeDirector of Information TechnologyCommented:
Like I said your ADFS is completely independent from your Exchange and you should really stop even thinking about your ADFS as I stated in my prior comment.

Keep the current ADFS cert for your ADFS server and create a new CSR from your your Exchange server or follow the instructions in the video I posted. Once you receive the new exchange cert apply it to your Exchange CAS and you should be all set.
0
yo_beeDirector of Information TechnologyCommented:
ADFS cert is purely used between the federated handshake and not the Exchange. You need the proper cert name for your Exchange (not the same as your ADFS).
0
piaakitAuthor Commented:
yes understand, I'm going to apply another ssl for exchange in comobo, but it said the certificate already been issued for this domain, and I tried to apply the ssl in raipidssl.com, it lets me to register but I have to wait for them to approve


1
2
0
yo_beeDirector of Information TechnologyCommented:
Do you have any history logs on comondo. You must have a common name in the cert that is exact match to one that has been issued.

Are you able to confirm this. You might want to reach out to the support team on Comondo.
0
yo_beeDirector of Information TechnologyCommented:
Did you request a TRIAL CERTIFICATE?  That is what the error message is sayings the error is.
0
piaakitAuthor Commented:
Yes I was using a trial one for my ADFS server as this is my testing lab
0
yo_beeDirector of Information TechnologyCommented:
I recommend speaking to their support team and explain what you are looking to do.

I would separate your ADFS and your Exchange cert. This will give you more flexibility if you need to change a cert later on.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yo_beeDirector of Information TechnologyCommented:
What did you ultimately purchase?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.