none
Certificates for exchange server in child domains

    Question

  • Hi Team,

    We have 2 child domains on which Exchange 2013 is installed. We have issued a single SSL certificate from our internal ADCA server in Parent domain.
    This certificate is installed on the exchange server in child domains.
    THE SAN name has all the url's required for autodiscover and OWA access.
    When we try to open OWA url for both the child domains we are getting the certificate error as the CN name on the certificate is not the same as FQDN of any of the CAS servers.

    Do we need to generate 2 certificates from ADCA with different CN name (Same as FQDN used to access CAS server from outside network) to resolve this error?

    Thanks,

    Mitesh Jain

    Thursday, December 1, 2016 10:21 AM

All replies

  • Hi.

    If you have PKA infrastruction for your domain. You can generate one certificate with all SAN name child domains or Wildcard Certificate.

    You must be have:

    1. Root certificate and sub certificate install for all computer and server in your organization.

    2. CRL must be avalable for all computer. You can public CRL on internal Web portal. 

    Other way buy Wildcard Certificate  Unified Communications certificate partners.

    Wildcard Certificate and Exchange support all subdomain and child domain.

    Example. *.domain.com - Wildcard Certificate support domain. (domain.com, NY.domain.com, SF.domain.com, 1234.domain.com, 12.NY.domain.com)


    MCITP, MCSE. Regards, Oleg

    Thursday, December 1, 2016 2:50 PM
  • Hi Mitesh,

    If it display certificate warning, please ensure the FQDN should be added to SAN in certificate.

    If so, we need renew a Exchange certificate with CA (internal CA or 3rd trusted CA), then import it to root CA and Exchange server(assign service for this new certificate).

    If not, please run below command to check the setting for Exchange services:

    Get-ClientAccessService | FL Identity,*URI*
    Get-OWAVirtualDirectory | FL Identity,*URL*
    Get-ECPVirtualDirectory | FL Identity,*URL*
    Get-WebServicesVirtualDirectory | FL Identity,*URL*
    Get-OABVirtualDirectory | FL Identity,*URL*
    Get-MAPIVirtualDirectory | FL Identity,*URL*
    Get-PowerShellVirtualDirectory | FL Identity,*URL*
    Get-OutlookAnywhere | FL Identity,*Host*

    If it return any result which not contain in SAN, please unify it then run "IISRESET" if it's a VD setting.


    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 2, 2016 9:09 AM
    Moderator
  • You do not need to put every computer name in the certificate, and usually it's best not to do that.  What you should do, as Allen_WangJF says, is ensure that all your virtual directories' URLs' host names, all Outlook Anywhere host names, and all Autodiscover URLs' host names are in the certificate.  Parent or child domains of any number don't necessarily matter if you don't use those domains in your URLs.  You may literally be able to get by with as few as two hostnames in your certificate.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!


    Sunday, December 4, 2016 12:06 AM
    Moderator
  • Hi Mitesh,

    Do you find any useful information in my previous reply?

    If there're anything unclear, please feel free to let me know. Also, feel free to mark responses as the answer and/or vote them helpful as appropriate.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 19, 2016 12:35 PM
    Moderator
  • Greetings,

                      I concur with Allen_WangJF's reply. 2 things to consider here,

    1. The URLs in the Virtual directories to match the SAN names of the certificate.

    2. The URL which the user uses to invoke the Virtual directory, ie, even if the external and internal URL of the virtual directories are listed as SAN Names, the user has to use the correct URL to invoke the service.

    If the user uses the FQDN of the virtual directory (default internal URL of Virtual directories) the error with certificates will be thrown.

    Thanks

    Eric


    Microsoft Forum Update

    • Proposed as answer by Eric Anto Monday, December 19, 2016 12:54 PM
    Monday, December 19, 2016 12:53 PM