locked
SSL Certificate for Exchange 2010 RRS feed

  • Question

  • I am planning to purchase a SSL certificate for Exchange 2010. I found out that we need to buy Subject Name Alternative (SAN) or UCC certificate.

    During certificate signing request, there is couple of options for us to choose. We chosen "mail.domain.com" for most of our option.

    I would like to know the following:-

    1. If my exchange server do not provide POP/IMAP services, do we need to select this option?
    2. How about hub transport server? do we need to select this option?

    Please advise.

    Thank You.


    Stan
    Sunday, December 19, 2010 11:28 AM

Answers

All replies

  • You don’t have to select them if these services aren’t used in your environment

    Resources:

    Understanding Digital Certificates and SSL

    TLS Functionality and Related Terminology in Exchange 2010

    James Luo

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com  


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Stanley Ng Tuesday, December 21, 2010 3:42 AM
    Monday, December 20, 2010 6:56 AM
  • Dear James Luo,

    Thank You for your reply.

    1. As I am not using POP/IMAP, so i don't select this on the CSR (Certificate Signing Request)
    2. I saw this "Use mutual TLS to secure internet mail" during CSR, is it recommended to include this as I don't know whether need to use or not.

    Please advise.

    Best Regards,


    Stan
    Monday, December 20, 2010 8:10 AM
  • Mutual TSL can be used a relatively low-cost alternative to S/MIME kind security solution between you and your business partner, but also add an additional cost for management

    So, it’s really up to you if you want to use the feature. You can check out the mutual TLS in the link above, and here’s another article about it

    Understanding Domain Security


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, December 21, 2010 2:06 AM
  • Dear James,

    Thank You for your explanation. Lastly, I use "mail.domain.com" for most of our option, can this "mail.domain.com" set as common name during CSR or use "domain.com" as common name?

    Thank You.


    Stan
    Tuesday, December 21, 2010 2:12 AM
  • Per my knowledge, there’s no restriction that you must use the specific one. But, based on the following information, mail.domain.com would be preferred:

    ·         When you create a certificate or a certificate request for an Edge performing SMTP TLS over the Internet, FQDN should be entered as CN (Common Name) (Reference)

    ·         If you have windows XP workstations that use outlook anywhere, FQDN will avoid the extra change on the exchange configuration, like the issue in this thread


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, December 21, 2010 3:02 AM
  • Hi James,

    OK, Thank You. :D


    Stan
    Tuesday, December 21, 2010 3:41 AM
  • Thank You James.
    Stan
    Tuesday, December 21, 2010 3:44 AM