locked
Exchange 2010- Why do I need to use a UCC certificate?

    Question

  • I used a single domain SSL certificate for Exchange 2003 and everything worked just fine. My company got Exchange 2010 and now I'm being told that I need the more expensive 5 slot UCC certificate. Why can't I continue to use the single domain certificate?
    Monday, January 17, 2011 4:47 AM

Answers

  • Hi,

     

    Take a look at this article.

    http://blog.sembee.co.uk/post/Exchange-2007-and-SSL-Certificates-Take-2.aspx

     

    Thanks.

    • Proposed as answer by Novak Wu Wednesday, January 19, 2011 6:49 AM
    • Marked as answer by Novak Wu Friday, January 21, 2011 1:50 AM
    Tuesday, January 18, 2011 10:17 PM
  • While it is possible to run Exchange 2010 with a single name SSL certificate - the product is designed to be used with a UCC certificate.

    The reason a UCC is used is because of the multiple ways that Exchange is accessed. Web Services is key to the product, it isn't just OWA which is secured via IIS. It is autodiscover, availability, web services, offline address book distribution. It all needs to be accessed in a secure manner.

    You can only use a single name certificate with Exchange 2010 and Outlook 2007 and higher IF your external provider supports SRV records. If not, then you will have to use a UCC certificate for full functionality.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources
    • Marked as answer by Novak Wu Friday, January 21, 2011 1:50 AM
    Tuesday, January 18, 2011 10:32 PM

All replies

  • The issue is autodiscover that is required for all versions 2007+.  If all your machines are domain joined and you are not going to use Outlook Anywhere, you can get away with a single name cer.

    Normally you will have a cert with (internally):

    CAS-Array FQDN

    Autodiscover FQDN

    Externally

    Webmail / OA / ActiveSync FQDN

    Autodiscover FQDN

     


    Casper Pieterse, Principle Consultant - UC, Dimension Data South Africa, Microsoft Certified Master: Exchange 2007
    Monday, January 17, 2011 6:23 AM
  • Hi,

     

    Take a look at this article.

    http://blog.sembee.co.uk/post/Exchange-2007-and-SSL-Certificates-Take-2.aspx

     

    Thanks.

    • Proposed as answer by Novak Wu Wednesday, January 19, 2011 6:49 AM
    • Marked as answer by Novak Wu Friday, January 21, 2011 1:50 AM
    Tuesday, January 18, 2011 10:17 PM
  • While it is possible to run Exchange 2010 with a single name SSL certificate - the product is designed to be used with a UCC certificate.

    The reason a UCC is used is because of the multiple ways that Exchange is accessed. Web Services is key to the product, it isn't just OWA which is secured via IIS. It is autodiscover, availability, web services, offline address book distribution. It all needs to be accessed in a secure manner.

    You can only use a single name certificate with Exchange 2010 and Outlook 2007 and higher IF your external provider supports SRV records. If not, then you will have to use a UCC certificate for full functionality.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources
    • Marked as answer by Novak Wu Friday, January 21, 2011 1:50 AM
    Tuesday, January 18, 2011 10:32 PM