Home / server / Questions / 265725
Accepted
ThatGraemeGuy
Asked: 2011-05-04 00:10:51 +0800 CST

Exchange 2010 SSL certificate requirements for multiple domains

  • 772

I've read this, and I'm still not 100% on this.

If our Exchange server is hosting email for multiple authoritative domains, do I need matching SAN names on the SSL certificate for each one?

In our setup the AD domain is company.local, the email domain for most people is company.com, but we also have some people that have email addresses @othercompany.com.

So when I buy the SSL certificate, I assume I would need:

  • mail.company.com
  • autodiscover.company.com
  • legacy.company.com
  • mail.othercompany.com
  • autodiscover.othercompany.com
  • legacy.othercompany.com

Is that right?

exchange-2010 ssl-certificate

2 Answers

  1. Best Answer

    Apart from the required internal FQDN's and server names, you only need the domains on your certificate that you need to securely access your server on (OWA or ActiveSync for example). Your Exchange server can accept mail for any number of other domains, but if you only access OWA on mail.acme-widgets.com then that is the only external DNS name that needs to be on the certificate.

    As an example, our Exchange server accepts mail for about 30 domains, but we only have the following things on our certificate (pardon the whole Acme Widgets thing, but you get the idea).

    svr03                               (Internal server name)
mail.acme-widgets.com               (OWA domain)
autodiscover.corp.acme-widgets.com  (AutoDiscover internal FQDN)
autodiscover.acme-widgets.com       (AutoDiscover external FQDN)
legacy.acme-widgets.com             (Legacy domain)
svr03.corp.acme-widgets.com         (Internal FQDN)

    If I recall correctly, when I was going through the Exchange certificate wizard it did include all of our auxiliary domains, but I chose to remove them. It shouldn't hurt to leave them on, and if the certificate wizard includes them by default, it's certainly not wrong to leave them.

    • 3

  2. Actually if you reconfigure your Exchange correctly you can make use of only one domain / certificate (for example mail.company.com) for both internal and external access. However then your owa / outlook configuration will always have to point to this chosen domain name. This is simplest/cheapest scenario.
    This link can help you to setup Exchange 2010 to use only one domain for everything. Otherwise if you want to keep using different domain names for different people you need to use SAN certificate. This can be expensive solution.

    One domain solution for everything (internal / external access) can even be cheaper by using completely free certificates from StartSsl for 1 year (extended every year for free). If general company name mail.company.com is too big problem (this could be an issue if your employees wouldn't feel right by accessing mail.microsoft.com while being from IBM and vice versa - although I doubt this would be a problem in your case) you could always buy some unrelated domain name to the company's name like mailserver.com or something similar and use that. Then neither employees from legacy company or new company will complain.

    • 1