none
Exchange 2010 SSL certificate RRS feed

  • Question

  • Hi,

    I'm just trying to figure out the SSL certificate for my new environment...

    Two Exchange servers (mx1 and mx2) both have the mailbox, client acess and hub transport roles installed.

    Our public ip points to mx1.  External domain name remote.domain.com.  Outlook anywhere is enabled on both servers. 

    I'll be setting up a DAG to replicate the databases.

    I'm thinking of callling the DAG "mx"

    I'm trying to figure out the SAN's that need to go on the SSL certificate. 

    I'll add the following SAN's to the SSL;

    mx1.domain.com
    mx2.domain.com
    remote.domain.com

    The SAN's below come for free.

    autodiscover.domain.com
    owa.domain.com
    mail.domain.com

    What other SAN's would I need on the SSL?

    Would I have to add a SAN for the DAG (mx.domain.com) as well?

    Thanks,

    Wednesday, September 19, 2012 5:54 PM

Answers

  • Hi,

    Sorry been crazy busy.  Well it's still not 100% clear.  But I'll purchase the new certificate with the following sans;

    remote.domain.com

    mx1.domain.com

    mx2.domain.com

    The above should take care of my current partial certificate error.

    I'll add other if required.

    Thanks for all your answers. 

    • Marked as answer by culusahin Monday, September 24, 2012 10:40 AM
    Monday, September 24, 2012 10:40 AM

All replies

  • You only require the following SANS for exchange servers: You don't normally require SAN for servers, DAG etc.

    autodiscover.domain.com
    owa.domain.com
    mail.domain.com (Active Sync can also use this SAN)


    Regards from ExchangeOnline | Windows Administrator's forums

    • Proposed as answer by Castinlu Thursday, September 20, 2012 9:39 AM
    Wednesday, September 19, 2012 6:50 PM
    Moderator
  • Add  all your accepted domains as well.

    ExchangeGeek (MCITP,Enterprise Messaging Administrator)

    ***Don't forget to mark helpful or answer***

    Thursday, September 20, 2012 1:12 AM
  • You actually do need the SANs by the looks of it.  At the moment I'm using my certificate from my old environment which covers remote.domain.com but doesn't include mx1.domain.com and mx2.domain.com... and I'm getting partial certificate errors.  The client outlooks are pointing to mx1 or mx2.  And connect through remote.domain.comodiscover I don't use the other free SANs.  I just wanted to conform if I need a SAN for the DAG which I will be calling mx.  Thanks for your answer anyways. 

    • Edited by culusahin Thursday, September 20, 2012 11:18 AM
    Thursday, September 20, 2012 8:25 AM
  • Client in Exchange 2010 dont connect to MBX role, they connect to CAS role both for Outlook Anywhere and MAPI. If you (and you should) deploy a Cas Array, the client connect to casarray, you need to use his name into the certificate. If you dont, your client will connect to CAS server, in your multi role environnement, it will be mx1 and mx2.

    http://technet.microsoft.com/en-us/library/ee332317.aspx

    • Proposed as answer by Castinlu Thursday, September 20, 2012 9:39 AM
    Thursday, September 20, 2012 9:01 AM
  • hi,

    Any update?

    Please remember to mark as answer.

    thanks,


    CastinLu

    TechNet Community Support

    Monday, September 24, 2012 1:37 AM
  • Hi,

    Sorry been crazy busy.  Well it's still not 100% clear.  But I'll purchase the new certificate with the following sans;

    remote.domain.com

    mx1.domain.com

    mx2.domain.com

    The above should take care of my current partial certificate error.

    I'll add other if required.

    Thanks for all your answers. 

    • Marked as answer by culusahin Monday, September 24, 2012 10:40 AM
    Monday, September 24, 2012 10:40 AM