locked
wildcard certificate RRS feed

  • Question

  • Hello,

    when is a wildcard certificate preferred ?

    I want to install Exchange 2010 and install a CAS array. The Cas Array will be cas-array.domain.com and OWA is mail.domain.com

    In this situation what certificate type do I need ?

     

    Thanks

    Sunday, February 6, 2011 8:47 AM

Answers

  • It is best practice to use different names for the CAS Array and what you are using for your NLB name for OWA, OA, etc.  You also don't want the CAS Array FQDN resolvable externally either, as this will cause longer time-out periods for external Outlook clients.  Check out this thread and Brian Day's responses:

    http://social.technet.microsoft.com/Forums/en/exchange2010/thread/144eecf0-1963-4768-a08a-7c06eb2a79f1


    Tim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington
    • Proposed as answer by Evan Liu Tuesday, February 8, 2011 9:28 AM
    • Marked as answer by Evan Liu Thursday, February 17, 2011 1:23 PM
    Sunday, February 6, 2011 3:54 PM

All replies

  • Hi

    In that case you need a SAN certificate providing the urls cas-array.domain.com and mail.domain.com.

    You can use a wildcard certificate as well, but there are some limitations you should check first: http://technet.microsoft.com/en-us/library/dd351044.aspx

    Hope that helps.

    Regards
    Pano

     


    Pano Boschung, PageUp AG
    Sunday, February 6, 2011 11:11 AM
  • The CAS Array FQDN is not required to be an entry in the certificate since it is used for MAPI connections only not SSL.  Your certificate needs to contain any FQDNs that are defined for your CAS services and use the HTTPS protocol.  These are all of your CAS services (like OAB, OWA, EWS, ECP, OA, etc).
    Tim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington
    • Proposed as answer by Evan Liu Tuesday, February 8, 2011 9:28 AM
    Sunday, February 6, 2011 2:57 PM
  • Hi Tim

    Thanks for adjusting.
    I usually use the same fqdn for the CAS Array as well as for the NLB. Or is that because of any reason not supported?


    Pano Boschung, PageUp AG
    Sunday, February 6, 2011 3:38 PM
  • It is best practice to use different names for the CAS Array and what you are using for your NLB name for OWA, OA, etc.  You also don't want the CAS Array FQDN resolvable externally either, as this will cause longer time-out periods for external Outlook clients.  Check out this thread and Brian Day's responses:

    http://social.technet.microsoft.com/Forums/en/exchange2010/thread/144eecf0-1963-4768-a08a-7c06eb2a79f1


    Tim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington
    • Proposed as answer by Evan Liu Tuesday, February 8, 2011 9:28 AM
    • Marked as answer by Evan Liu Thursday, February 17, 2011 1:23 PM
    Sunday, February 6, 2011 3:54 PM