locked
Exchange 2010 SAN or Wild Card Certificate is must ? RRS feed

  • Question

  • Hello,

    We have one verisign cert ( existing exchange 2007 , webmail.company.com ) , I would like to export from exchange 2007 and Import to exchange 2010.

    Does SAN or Wild Card Certificate is must for Exchange 2010 ???

    Can we use 14 day trial Verisign cert while transition to exchange 2010 .? we would like to use co-existence for 2 days only.

     

     


    Regards, Amjuu-Anu ..
    Sunday, September 19, 2010 10:21 PM

Answers

  • Sounds like the trial cert would work fine if you're going to retain the namespace and will be done in a couple of days. Just add the legacy name to the trial cert and copy the real one over to the 2010 environment...
    Active Directory, 4th Edition - www.briandesmond.com/ad4/
    • Proposed as answer by Allen Song Thursday, September 23, 2010 7:47 AM
    • Marked as answer by Allen Song Tuesday, September 28, 2010 9:03 AM
    Monday, September 20, 2010 2:53 AM

All replies

  • Do you want Autodiscover to work?
    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    Sunday, September 19, 2010 10:26 PM
  • It is definitely recommended to use a multi-name SAN cert.  If you must use a single name cert check out this link:

    http://www.amset.info/exchange/singlenamessl.asp

    Written for 2007, but applicable for 2010.  You will have to use SRV records for autodiscover.  Also, OWA coexistence between 2007/2010 will not work as you will not be able to define a different name for the legacy namespace.


    Tim Harrington - Catapult Systems - http://HowDoUC.blogspot.com
    Sunday, September 19, 2010 10:58 PM
  • SAN or Wild Cards are NOT required but RECOMMENDED. you will experience OutlookAnywhere issues with various clients if the certificate is not trusted with a digital signature. To do your migration your can export the private key from your existing exchange servers and import it into the new exchange servers w/o any service interuptions. Make sure to export and import in the cert store for the computer....

    IE.

    1. Start>Run> mmc

    2. File> add/remove snapin

    3. choose Certificates, Add > Local computer

    4. Navigate to Personal > Certificates 

    5. Look for the certificate with the key on it, you can confirm by the Friendly Name field on the far right.

    6. Right click and export, choose private key, enter password. Should be exporting as a PFX file 

    7. Copy that PFX file to the new box via network share etc

    8. On new exchange box, open up the MMC and follow steps 1 to 4... this time you will right click and import, enter password next next finish.

    9. At this point you need to goto IIS and set the bindings of SSL to this cert, and in Exchange assign it as well.

    PM me if you need anymore help!

    GL!! 

    Monday, September 20, 2010 2:31 AM
  • Sounds like the trial cert would work fine if you're going to retain the namespace and will be done in a couple of days. Just add the legacy name to the trial cert and copy the real one over to the 2010 environment...
    Active Directory, 4th Edition - www.briandesmond.com/ad4/
    • Proposed as answer by Allen Song Thursday, September 23, 2010 7:47 AM
    • Marked as answer by Allen Song Tuesday, September 28, 2010 9:03 AM
    Monday, September 20, 2010 2:53 AM