none
About SSL Certificates for Exchange 2010 RRS feed

  • Question

  • I’m planning to introduce the first Exchange 2010 server to my Exch 2007 Organization. I’m planning on the SSL cert and I was wondering if I could get some feedback from you guys.

    1. I understand that when the first Exchange 2010 CAS server is introduced in an existing Exchange 2007 Org, we may expect SSL certificate warnings, relating to the Autodiscover service as soon as the server is up and running. One way deal with this is to apply the appropriate SSL certificate to the new Exchange 2010 CAS serve. I was planning to purchase a new UCC (SAN) cert from our commercial Certificate Authority prior the introduction of the first Exch 2010 CAS server. I know I can generate the SSL request file from the new Exchange 2010 CAS server once it is setup; however after talking to the commercial Certificate Authority, I realized that the new SAN certificate could take up to 3 days to get issued (it could be faster but I’m not sure). I cannot afford to get these SSL certificate warnings for so long so I was wondering if I could generate the request from the current Exchange 2007 CAS server instead. Would that be any problem? If not, I could generate the new SAN certificate request from the Exchange 2007 CAS server, once I get the cert, then import it to Exchange 2007 (I already have SSL on the Exch 2007 server but need to add legacy.domain.com to it.). Then export the SAN cert from Exch 2007 (which will have the names I also need for the new Exch 2010 server) and have it ready so I can import the cert to the Exch 2010 as soon as it is up and running. Would that work ok?

    2. Another aspect in regards to SSL certs is around the names to be included in the cert. I have read and seen on slides shown in Microsoft webcasts that machine hostnames should not be listed in the certs hostname list as the goal is to minimize the number of hostnames. However I’ve also seen in some sites and books that Admins include host server names in the SSL Certificate names

    I guess that what is not clearly explained on the webcasts I’ve seen is the fact that if your Organization is implementing Split DNS (having an internal DNS zone that matches your external internet DNS), then you can also use the external DNS namespace (i.e mail.domain.com) to configure the internalURLs and therefore there is no need to include host server names (FQDN of CAS servers) in the SSL Certificate names. So bottom line, the Internal URLs will depend on whether or not you use Split DNS for the Exchange 2010 implementation, and that in turn, will determine whether or not it is necessary to include host server names in the SSL Certificate

    If I use Split DNS, then I don’t have to include Exchange hostnames in the SSL cert and what I would have to do is change the internalURLs that by default references the FQDN of CAS server to use the external namespace (i.e. mail.contoso.com) following the instructions on this article: http://support.microsoft.com/kb/940726  

    Am I understanding this correctly?

    3. Wildcard Certificate vs. SAN Certificates for Exchange 2010: I understand that Wildcard Certificates are supported by Exchange 2010 although the recommendation is to use SAN cert. Can someone share their experience when using Wildcard certs? We already have a Wildcard Certificate so it would be nice if we could use it for Exch 2010.

    Thanks in advance!

    FT


    FT

    Tuesday, October 9, 2012 12:17 AM

Answers

  • 1.  You should expect that only if you don't do it right.  You can do all of that, but if you're using the same URLs for Exchange 2010 as you are for Exchange 2007, then there should be no reason you can't use the same certificate.

    2.  It's okay to add machine hostnames, but there's no compelling reason to do so.  I don't routinely do it with public CA certificates because it just adds unnecessary cost.  Just make sure that all the InternalURL and ExternalURL settings on all virtual directories use hostnames that are in the certificate.  For most applications, there's no real reason you can't get by with two names in a certificate, webmail (or whatever) and autodiscover.  Split-brain DNS is the only way to go, IMO.

    3.  A wildcard certificate can be made to work.  There's an issue with Office 365 federation with a wildcard certificate, but I've been able to work around it.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Marked as answer by FT2000 Tuesday, October 9, 2012 1:31 PM
    Tuesday, October 9, 2012 1:25 AM

All replies

  • 1.  You should expect that only if you don't do it right.  You can do all of that, but if you're using the same URLs for Exchange 2010 as you are for Exchange 2007, then there should be no reason you can't use the same certificate.

    2.  It's okay to add machine hostnames, but there's no compelling reason to do so.  I don't routinely do it with public CA certificates because it just adds unnecessary cost.  Just make sure that all the InternalURL and ExternalURL settings on all virtual directories use hostnames that are in the certificate.  For most applications, there's no real reason you can't get by with two names in a certificate, webmail (or whatever) and autodiscover.  Split-brain DNS is the only way to go, IMO.

    3.  A wildcard certificate can be made to work.  There's an issue with Office 365 federation with a wildcard certificate, but I've been able to work around it.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Marked as answer by FT2000 Tuesday, October 9, 2012 1:31 PM
    Tuesday, October 9, 2012 1:25 AM
  • Ed,

    Thanks so much for your prompt response! It is greatly appreciated

    I agree with you. We could use the same SSL we currently use with Exch 2007 on the new Exch 2010 as we are planning to keep the same external namespaces: mail.domain.com, and autodiscover.domain.com. However since we need to add new names: legacy.domain.com and another one to be used in out DR site(failover.domain.com) and want to keep a single SSL cert...it is the reason why we are planning to get a new cert or see if we can add the new names to the existing one

    Thanks for sharing the info about the wildcard and Office 365...it is good to know as we are planning to implement Exchange Online later on. It would be nice if you can share the workaround you mentiones

    On another topic. I would like to get your opinion on Autodiscover for Exchange 2010 based on your experience.

    This MS KB: http://technet.microsoft.com/en-us/library/aa995928 recommends configuring a separate IIS Web site on a Client Access server to host the Autodiscover service; which is a good practice in the following cases:

      • Your primary Web site is visited frequently
      • Your primary Web site hosts your e-mail traffic

    What is your opinion on this

    Again, THANKS SO MUCH for your feedback

    Best Regards,

    FT


    FT

    Tuesday, October 9, 2012 4:29 AM
  • Most public CAs will reissue your current certificate with an additonal SAN for no charge except for what additional charge might apply to the extra SAN.

    None of my customers have required a separate Autodiscover CAS server.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Tuesday, October 9, 2012 5:04 AM
  • Thanks again Ed for your quick response. I really appreciate your feedback!!

    You guys are doing a great job in this forum. Please keep up the wonderful work you do

    Best,

    FT


    FT

    Tuesday, October 9, 2012 1:30 PM
  • Hi,

    If you use the wildcard certificate for exchange 2010, please know that it does not support some scenario. For example:

    • wildcard certificates can’t be used in conjunction with OCS 2007 (eg for secure communications for UM/OWA integration)
    • wildcard certificates are not supported for older mobile devices such as Windows Mobile 5.0

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, October 10, 2012 1:39 AM
    Moderator
  • Sean,

    Thanks for your feedback on the wildcard certs. I was aware of the limitations with Win Mobile 5.0 and older but I did not know about the OCS 2007 limitation. I appreciate you are sharing this info

    Best Regards,

    FT


    FT

    Wednesday, October 10, 2012 1:33 PM