Exchange 2010 SSL certificate requirements for multiple domains

exchange-2010ssl-certificate

I've read this, and I'm still not 100% on this.

If our Exchange server is hosting email for multiple authoritative domains, do I need matching SAN names on the SSL certificate for each one?

In our setup the AD domain is company.local, the email domain for most people is company.com, but we also have some people that have email addresses @othercompany.com.

So when I buy the SSL certificate, I assume I would need:

  • mail.company.com
  • autodiscover.company.com
  • legacy.company.com
  • mail.othercompany.com
  • autodiscover.othercompany.com
  • legacy.othercompany.com

Is that right?

Best Answer

Apart from the required internal FQDN's and server names, you only need the domains on your certificate that you need to securely access your server on (OWA or ActiveSync for example). Your Exchange server can accept mail for any number of other domains, but if you only access OWA on mail.acme-widgets.com then that is the only external DNS name that needs to be on the certificate.

As an example, our Exchange server accepts mail for about 30 domains, but we only have the following things on our certificate (pardon the whole Acme Widgets thing, but you get the idea).

svr03                               (Internal server name)
mail.acme-widgets.com               (OWA domain)
autodiscover.corp.acme-widgets.com  (AutoDiscover internal FQDN)
autodiscover.acme-widgets.com       (AutoDiscover external FQDN)
legacy.acme-widgets.com             (Legacy domain)
svr03.corp.acme-widgets.com         (Internal FQDN)

If I recall correctly, when I was going through the Exchange certificate wizard it did include all of our auxiliary domains, but I chose to remove them. It shouldn't hurt to leave them on, and if the certificate wizard includes them by default, it's certainly not wrong to leave them.

Related Topic