Sign in
 
HomeOnline20132010Other VersionsLibraryForumsGalleryEHLO Blog
TechCenter >
What domain names need to be listed on a SAN certificate for an Exchange 2010 server with multiple receive domains

Answered What domain names need to be listed on a SAN certificate for an Exchange 2010 server with multiple receive domains

  • Friday, December 28, 2012 8:04 PM
     
     
    Sign In to Vote
    0

    Previously we would list the following for all our receive domains:

    • Mail.X.X
    • Webmail.X.X
    • Autodiscover.X.X
    • X.X

    Recently we doubled the amount of receive domains and I’m 30 days out from renewing my SAN certificate. So I'm wondering if I can trim some of those domains off or not. For example, let’s say I have the following domains:

    • A.com
    • A.local
    • B.net
    • C.org
    • D.edu

    The Main company is A.com but portions of the company need to send and receive as the other domains. Currently each domain has an A record for mail.X.X and CNAMEs for AutoDiscover.X.X and Webmail.X.X that point to mail.x.x (All exchange roles are on the same server).

    The SAN cert in question has those domains listed in addition to the local server name, so for example

    Common Name: mail.a.com

    Subject Alternative Name:

    • a.com
    • autodiscover.a.com
    • webmail.a.com
    • Mail
    • A.local
    • mail.a.local
    • webmail.a.local
    • autodiscover.a.local
    • b.net
    • mail.b.net
    • autodiscover.b.net
    • webmail.b.net
    • c.org
    • mail.c.org
    • autodiscover.c.org
    • webmail.c.org
    • d.edu
    • mail.d.edu
    • autodiscover.d.edu
    • webmail.d.edu

    For all the domains except A.com and A.local can I drop all but the Autodiscover domains from the SAN certificate as long as I make that an A record for each domain and put in HTTP redirects for Mail.X.X for Webmail.X.X? Can I also get rid of A.com and A.local and just keep the domain names associated with Exchange services?

     

All Replies

  • Sunday, December 30, 2012 8:17 AM
     
     Answered
    Sign In to Vote
    1

    For Autodiscover to work properly you need to have an autodiscover record for every e-mail address domain for primary e-mail addresses.  Since you never receive mail for somebody@a.local, then there's no need for an autodiscover record for that record.  Some find it easier to deploy an SRV record for Autodiscover when you have many e-mail domains.

    The general practice is to use the webmail address as the common name of the certificate.  You need but one since everyone could use the same URL for webmail regardless of what their e-mail domain is.  If you want to provide convenience webmail URLs for each e-mail domain, it's a choice you make.

    As to .local (or any other internal-only) domains, I recommend that you employ split-brain DNS and use only external URLs for everything.  It makes it easier for you since you don't have to convince your certificate issuer to put unregistered domains in your SANs, cheaper in that you don't need as many SANs, and easier for your users to understand.

    That should be everything you need.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

     
  • Monday, December 31, 2012 3:10 AM
    Moderator
     
     Answered
    Sign In to Vote
    1

    Hello,

    I think the following article must be helpful for your question:

    http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

    Thanks,

    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Simon Wu
    TechNet Community Support


     
  • Friday, January 04, 2013 8:29 PM
     
     
    Sign In to Vote
    0

    Thanks for the help all. Do I still need to include the root domains at all, even for the main namespace (A.com)? From what I’m getting my slimmed down SAN cert will be:

    • Common Name: mail.a.com
    • Subject Alternative Name:
      • Mail
      • webmail.a.com
      • autodiscover.a.com
      • autodiscover.b.net
      • autodiscover.c.org
      • autodiscover.d.edu

    All the employees (regardless of email domain) will use mail.a.com for ActiveSync and webmail.a.com for OWA. I do also have a SRV record internally.


    • Edited by Vox Medica Tuesday, January 08, 2013 3:06 PM
    •  
     
  • Tuesday, January 22, 2013 2:27 PM
     
     
    Sign In to Vote
    0
    After doing further research we decided to use AutoDiscover Redirect for all the but the main domain (a.com) and dropped down to a 5 slot SSL SAN Cert. So far it works fine with just the redirect message that pops up occasionally for Outlook users, which we will probably suppress using the instructions in this MS support article.