Link to home
Start Free TrialLog in
Avatar of Borland dBase III Plus
Borland dBase III PlusFlag for Hong Kong

asked on

Certificate issues of Exchange Server


There is a certificate issue of Exchange Server 2016.

Our internal domain of Active Directory (Windows 2016) name is and the external domain name is 

There are two email domains for some users : and

98% users default email domain is 2% users default email domain is and also contain email domain 

For example :

Thomas   :

Eva : (default email address) and  (one user mailbox contain two email address)

All internal and external clients (Outlook, Mac Mail, iPhone, Android and OWA) connect Exchange Server using name

Existing certificate of Exchange Server is self-sign with internal CA and the self-sign certificate install on all Exchange servers. Certificate include the following subject name:

There is one question:
If I want to purchase new certificate for Exchange Server from public, what subject name need to include in the new certificate? 

My friend company is same as my environment, he says only contain subject name  and Do not need to contain subject name in new certificate.

However, I ask GoDaddy customer service. They say the new certificate need to contain subject name, and I ask what is the subject name of They do not know. I worry about the that wrong or missing subject name cause user cannot access Outlook or receive / send email.

I just make a test, I add a new email address and set as my default email address (two email address in mailbox : and I try to add my email  account on Android mobile and restart my outlook. I can send email to internal users and can receive incoming email. It seems okay. However, after 1 hour, Outlook pop out request me to certificate accept : I have not create this certificate before. It seems there is a problem.

Can anyone help me?

Best Regards,


Avatar of arnold
Flag of United States of America image

The short answer is that you need to includes all the names that you use to access it.

The certificate deals with covering the connection requests.
you could point
if you are setting up autodiscover

when creating a certficate request you have the Subject primary hostname on the certificate.
then you have teh Subject Alternate Name

whast this achieves is that the same certificate can secure multiple hostnames.

View your existing certificate, then navigate through the Detail tab to get a better understanding.

Since this is an exchange, there are additional functionality options you have to include for the certificate not to be rejected by exchange.

Plan ahead.
you could create in each zone of your domains references to the configration
note @ represents the domain where it is added.
_autodiscover._tcp.@ IN SRV 0 0 443

when added, either user entering their email address, will be lead back to your exchange server for the configuration.
To get the request for a public certificate,the%20certificate%2C%20and%20then%20click%20Next.%20See%20More.

Since the Need for multiple hosts will require the use of the more expensive certificate, might as well include more hostnames which you might not use in the end, than too few, and run into issues.

Does your exchange allow IMAP access for those who do not have outlook? async? etc.
Avatar of DEMAN-BARCELO (MVP) Thierry
Flag of France image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
1) Use free certs.

2) Create 1x cert for each Exchange instance.

3) - provides details about initial cert setup + hands-free, auto-renewal of cert forever.