Question: can I use a wildcard SSL certificate on my Exchange 2010 server?
Answer: Yes, you can.
What is a wildcard SSL certificate? From Microsoft TechNet:
A wildcard certificate is designed to support a domain and multiple subdomains. For example, configuring a wildcard certificate for *.contoso.com results in a certificate that will work for mail.contoso.com, web.contoso.com, and autodiscover.contoso.com.
The attractiveness of wildcard SSL certificates is that they are usually cheaper than other types of certificates, and they make some Exchange Server configurations easier to manage.
Support for Exchange 2010 and Wildcard SSL Certificates
The support question is a relatively easy one to answer. Yes they are supported from a vendor perspective. One clue for this is that wildcard SSL certificates are an option in the Exchange 2010 new certificate wizard. Microsoft does not make a habit of including options in Exchange Server that will lead you down an unsupported path.
However they are not supported for all scenarios. For example:
- wildcard certificates can’t be used in conjunction with OCS 2007 (eg for secure communications for UM/OWA integration)
- wildcard certificates are not supported for older mobile devices such as Windows Mobile 5.0
Security Implications for Exchange 2010 and Wildcard SSL Certificates
The security question is also relatively easy to answer. The common assumption is that wildcard SSL certificates are less secure than other SSL certificates.
Microsoft’s own documentation even references “security implications”.
…many customers are uncomfortable with the security implications of maintaining a certificate that can be used for any sub-domain. A more secure alternative is to list each of the required domains as SANs in the certificate. By default, this approach is used when certificate requests are generated by Exchange.
Verisign/Symantec describes some of those implications here:
- Security: If one server or sub-domain is compromised, all sub-domains may be compromised.
- Management: If the wildcard certificate needs to be revoked, all sub-domains will need a new certificate.
However, put those concerns in the context of your Exchange organization. If you’re using a wildcard SSL certificate to secure a single, internet-facing Client Access server then the above issues do not create much concern.
On the other hand if you’re deploying a large, global Exchange organization with multiple geographic entry points for various services, or those services spread over many services, then those issues are of greater concern.
So in conclusion, yes Exchange 2010 supports wildcard SSL certificates and no they are not necessarily less secure than other certificates.
However, do your due diligence and make sure that the specific support and security scenarios that do exist will not adversely impact your own Exchange 2010 deployment.