Certificate Request and Install for Exchange 2007



    Environment:  Exchange 2007 single server install. Server name is mail.domain.com.  It matches our external domain.  We have several windows mobile devices and several palm devices.


    Goal:  Purchase a UCC Cert from Comodo (http://www.comodo.com/msexchange/index.html) and install it without breaking anything and A) allow mobile devices to use Activesync B) allow home Outlook users to use Outlook Anywhere to connect to our Exchange server without using a VPN and C) allow home OWA users to avoid annoying security alerts.


    Can someone tell me the complete cmdlet to use to generate the request??? I've read many different ways but I wanted to try this venue since every other site I have read gives me DIFFERENT information.  That way, I can have another option and just draw straws when I feel like starting into this mess.


    This link (http://msexchangeteam.com/archive/2007/07/02/445698.aspx) seems to be the best information so far but it is far from complete.  After reading it I have the following questions:


    1) Since my server name is mail.domain.com can I just use the below -domainname options:

              - mail.domain.com

              - domain.com

    2) Do I have to add the autodiscover option autodiscover.domain.com to the cmdlet????  What would happen if I did not???


    3) Would anything break if I only used the above two -domainname options?


    Thanks for your time!

    Wednesday, September 19, 2007 9:35 PM

All replies

  • Hi Cameron,


    I just posted the following on the topic that should give some background:



    And now let me see if I can add to that to answer your questions:

    1) This depends on the naming of your servers and the name that it will appear on the internet.

    You should include the FQDN of your Exchange Server eg. Exchange1.domain.com and if you will access this remotely using external DNS records you will also have to use that FQDN such as mail.domain.com


    2) You only have to add this domain name if you plan on using the AutoDiscovery service. If you plan on using the AutoDiscovery internal to your domain the Outlook 2007 clients will first check the SCP location specified in AD which can be changed as discussed here: http://technet.microsoft.com/en-us/library/aa995928.aspx

    You can get away with not including this domainname but if you want to use the service, it simplifies the deployment alot.

    Other links on Autodiscovery and Certs here:




    3) As above. Probably.


    If you want a minimum I would suggest to use the following DomainName options for IIS and SMTP services.



    Other Unified Communication Cert providers (I think it was Entrust) I have looked at give you at 6 domains in the SAN field.




    Monday, September 24, 2007 3:32 AM
  • Thank you very much for the response Ryhs.


    Just to clarify... If I don't want to use Autodiscover externally I do not need to add this in my certificate request?


    Thanks again! 



    Tuesday, September 25, 2007 12:00 AM
  • If your clients is using Outlook 2007,then I suggest that you include autodiscover.... since some functions in outlook 2007 rely on webservices to work (OOF, some calendaring stuff etc) the only way for outlook to find those URLs is by querying the autodiscover... webservice.


    Saturday, September 29, 2007 8:26 PM