none
Certificate too long-too many accepted domains RRS feed

  • Question

  • In creating/setting up the certificate for our newly installed Exchange 2010 (test lab) I ran into an issue where the certificate was too long when I went to assgn it to services. The reason being I believe is that we have a large number of accepted domains (60 in all). This is a state email system and we are obligated to provide access for smaller agencies. Previously in 2007 we were using a wild card certificate. Do I really need to include all 60 in the legacy domains, autodiscover & Hub Transport TLS (yes we need TLS) section of creating the certificate or just the primary urls for our organization. Anyway to maybe increase the size cap beyond 4096?
    Friday, April 22, 2011 2:22 PM

Answers

  • Hiya,

    You could consider using SRV records for each accepted domain to limit the number of autodiscover.accepteddomain.com records you require to just one, that should remove the number of certificates required for those accepted domains. I don't expect you would require multiple domains for your legacy namespace as (typically) only one name will be specificed as the ExternalURL when you transition your Exchange 2007 CAS.

    Another option may be to generate seperate SAN certificates for your Exchange 2010 CAS and legacy namespace. As Ed says the SMTP TLS certificate usually only needs a small number of names, but again you could use a seperate SAN certificate for Hub Transport roles also.

    Steve


    Steve Goodman
    Check out my Blog for more Exchange info or find me on Twitter

    Friday, April 22, 2011 8:14 PM

All replies

  • You mean for SMTP?  I believe that the only thing you need in your certificate for SMTP is the server name.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Friday, April 22, 2011 4:41 PM
  • Hiya,

    You could consider using SRV records for each accepted domain to limit the number of autodiscover.accepteddomain.com records you require to just one, that should remove the number of certificates required for those accepted domains. I don't expect you would require multiple domains for your legacy namespace as (typically) only one name will be specificed as the ExternalURL when you transition your Exchange 2007 CAS.

    Another option may be to generate seperate SAN certificates for your Exchange 2010 CAS and legacy namespace. As Ed says the SMTP TLS certificate usually only needs a small number of names, but again you could use a seperate SAN certificate for Hub Transport roles also.

    Steve


    Steve Goodman
    Check out my Blog for more Exchange info or find me on Twitter

    Friday, April 22, 2011 8:14 PM
  • For more information about the Exchange Certificate, please refer to the following articles:

     

    http://technet.microsoft.com/en-us/library/cc164344(EXCHG.80).aspx#Types

     

    http://msexchangeteam.com/archive/2007/07/02/445698.aspx

     

    Thanks,

    Simon

    Wednesday, April 27, 2011 6:40 AM
  • I also take care of a state email system with 120 agencies.  We are running Exch 2007 and have run into problem with the using SRV records, nothing big, just pop ups that cause confusion.  I was wondering if we could talk, and maybe trade some ideas.  I have some questions about how you used a wild card cert.  Our certs are about to expire and I am thinking about replacing them with a wild card cert.

    let me know by replying back - 

    Thursday, July 21, 2011 7:35 PM