none
SSL Certificate for Exchange 2010 RRS feed

  • Question

  • what should i do if i have different domain name for internal & external?
    internal: exchange.myofficedomain.com
    external: exchange.ouroffice.com

    i’ve bought a cert for the external but upon configuring it, my internal users face certificate problem when using their outlook.
    is there anyway to have self-signed internal cert + CA-signed external cert to co-exists?
    thanks.
    Friday, March 16, 2012 3:34 AM

Answers

  • Hi

    You should get a Unified Communications Certificate (UCC) which allows you to create a cert with multiple alternate names.  As a minimum you will need your OWA, autodiscover and probably your CAS Array name on this cert - you haven't provided any details of you environment so it is tricky to say for sure.

    One thing that you could do is to create a zone in your internal AD DNS for your external domain then you wouldn't have to include both internal and external names on the certificate.

    This article may be of use to you: http://technet.microsoft.com/en-us/library/dd351044.aspx

    Cheers, Steve

    Friday, March 16, 2012 10:06 AM

All replies

  • Hi

    You should get a Unified Communications Certificate (UCC) which allows you to create a cert with multiple alternate names.  As a minimum you will need your OWA, autodiscover and probably your CAS Array name on this cert - you haven't provided any details of you environment so it is tricky to say for sure.

    One thing that you could do is to create a zone in your internal AD DNS for your external domain then you wouldn't have to include both internal and external names on the certificate.

    This article may be of use to you: http://technet.microsoft.com/en-us/library/dd351044.aspx

    Cheers, Steve

    Friday, March 16, 2012 10:06 AM
  • You do not need the CAS array on the SSL certificate as the CAS array is used for TCP MAPI traffic only.
    If you want to use a single name for a load balancer internally then this should be a different name to the CAS array host. Furthermore the CAS array host name should NOT resolve externally.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.

    Friday, March 16, 2012 10:45 AM
  •  

    Hello,

    “Is there anyway to have self-signed internal cert + CA-signed external cert to co-exists?”.

    No, only one certificate can be bind to the IIS service.

    Thanks,

    Simon

    Monday, March 19, 2012 6:03 AM