Comments on: Configure an SSL Certificate for Exchange Server 2010

By: Paul Cunningham

Paul Cunningham — Sun, 20 May 2012 11:36:17 +0000

The new-exchangecertificate cmdlet has a -GenerateRequest parameter that determines whether the cmdlet will generate a request for a CA or a self-signed cert.

Read more about it here:
http://technet.microsoft.com/en-us/library/aa998327.aspx

By: Gary

Gary — Sun, 13 May 2012 13:39:07 +0000

Hi Paul,
Great read, but I do have one question. How does one go about recreating the default 5 year SSL certificate for exchange 2010. I have found loads on creating the 1 year self-cert. ones but nothing for the 5 year one that Exchange 2010 creates for itself when setting up. I far as I know, this is done through Exchange Management Shell.

By: Sergio da Costa

Sergio da Costa — Mon, 23 Apr 2012 11:05:06 +0000

Hi Paul,
We implementing a Exchange 2003 transition to 2010.
They currently use a Entrust cert for owa, with say mymail.mydomain.co.my
Now we would like to keep this owa site the same when we switch to 2010.

Can i include this mymail.mydomain.co.my in my SAN cert without revoking or changing the original cert on 2003?

So SAN cert name would be for mail.mydomain.co.my but include mymail.mydomain.co.my
Will this work?

By: Paul Cunningham

Paul Cunningham — Thu, 19 Apr 2012 11:41:13 +0000

Yes they may, which is explained in a bit more detail here:

http://exchangeserverpro.com/autodiscover-ssl-warnings-exchange-2010-migration

By: Stephen Buckton

Stephen Buckton — Tue, 17 Apr 2012 15:13:43 +0000

Hi Paul, just a quick question. I have a single server Exchange 2003/Outlook 2010 environment and I’m about to transition to Exchange 2010, once I build my Exchange 2010 server with the typical components will my clients start receiving certificate errors prior to me installing a SAN certificate or will this only happen if I migrate the mailbox onto Exchange 2010?
Thanks
Stephen.

By: Paul Cunningham

Paul Cunningham — Wed, 11 Apr 2012 11:13:18 +0000

Internally the autodiscover names are the FQDN of the CAS, or at least by default.

Generally speaking for your SAN cert you’ll need:
- the FQDN of each CAS
- the Autodiscover name for each primary SMTP namespace
- the DNS name for OWA, ActiveSync, and Outlook Anywhere

So, for example:

server.domain.local
autodiscover.domain.com
mail.domain.com

Your SAN cert can include all CAS, or you can do a different cert per CAS. If you add a CAS later on you can provision a new SAN cert, or if your cert provider allows it re-issue the existing cert with the additional name. Digicert is very flexible when it comes to situations like that, as well as situations where you might make a mistake and leave a name off by accident.

By: Toby Atkins

Toby Atkins — Wed, 11 Apr 2012 10:53:55 +0000

Thanks for your response Paul, much appreciated.
It sounds like one SAN cert is the way to go. I will contact the certificate issuer and see if I can upgrade it so I don’t waste my money.
When buying my SAN cert, do I need to include my internal domain names? I guess if I’m using OWA internally I need to buy mail.mydomain.local. What about autodiscover? Everybody in our company has an external SMTP address as their primary email address, so do we need autodiscover.mydowmain.local? And if so, what happens when we add further Exchange servers to our expanding domain? If we have many Exchange servers and shared DNS then doesn’t that mean we will need many internal autodiscover addresses?
Sorry for all the noobie questions.

By: Paul Cunningham

Paul Cunningham — Wed, 11 Apr 2012 10:36:09 +0000

You’re seeing that error because you haven’t filled out the rest of the new certificate wizard mandatory fields.

To answer your question, all of the Exchange web services such as OWA, ActiveSync, Autodiscover and so on are served off one IIS website. An IIS website can only have one SSL cert bound to it. Therefore, you can only use one cert for Exchange, hence the use of SAN certs.

However, you can create an additional IIS website and create new virtual directories off that for different Exchange web services, and have a different SSL cert bound to that website. But since you’re new to Exchange I wouldn’t recommend it, and to be honest even experienced people tend to stick to just one IIS website and use a SAN cert for ease of deployment and administration.

By: Toby Atkins

Toby Atkins — Wed, 11 Apr 2012 10:25:07 +0000

Being new to Exchange 2010 I decided I didn’t need to purchase a SAN certificate, so instead I only purchased a certificate for webmail.mydomain.com. I have now learnt that Outlook would be much happier if I had a trusted certificate for autodiscover.mydomain.com.
So, I am trying to add a new certificate for autodiscover.mydomain.com using EMC. Under Exchange Configuration the only thing I have ticked is Autodiscover on the Internet, and I have specified my autodiscover URL. However when I click next I get an error like this:-
Some controls aren’t valid.
Looking at your comment just above, does this mean I cannot add an additional cert, I’ve got to scrap the one I’ve got already and replace it with a SAN cert?
– Input String cannot be empty.
– Input String cannot be empty.

By: Paul Cunningham

Paul Cunningham — Wed, 28 Mar 2012 12:29:29 +0000

The problem is that only one cert can be assigned to IIS at a time. So if you use cert 1, then Autodiscover (which is a web service using HTTPS) has the wrong certificate, and then if you use cert 2 then all the other web services have the wrong certificate.

The best solution is to use a SAN certificate, which I’ve described in more detail here:
http://exchangeserverpro.com/exchange-2010-ssl-certificates