Using an SSL certificate for Exchange 2013

Hi,
I am not sure if this is the correct forum to post this question in.
Basically we are migrating from Exchange 2007 to Exchange 2013. Our 2013 machines have both roles installed and do everything. They are configured in a DAG. We have no hardware load balancing/reverse proxy or etc. inside or outside.
We use an alias of mail.domain.com to connect to OWA/ActiveSync and etc from the Internet.. this alias would point to mail1.domain.com which is the IP of the first Exchange 2013 server.
If that server were to break, we would point the alias of mail.domain.com to mail2.domain.com which is the IP of the second Exchange 2013 server. Clients would not need any changes before they started connecting to the remaining mail server (eventually)
and email would continue.
I know this is not an ideal setup, but for now it is what we have and would keep us running in the event of server failure.
My question is, when I request a certificate, do I need two of them with mail1.domain.com and mail2.domain.com as their primary and SAN of mail.domain.com OR do I request one certificate with mail.domain.com as the primary host and SAN of mail1.domain.com
and mail2.domain.com (and install the one certificate on both servers).
I want to include mail1.domain.com and mail2.domain.com as this can be helpful for testing and/or during migration.
I hope that makes some sense and appreciate any help people can offer.
Thanks!

You do not need server names in the certificate if you are using mail.domain.com only in all of the URL settings.  You will want autodiscover.domain.com, however.
Consider configuring a different internal and external name for Outlook Anywhere so that Outlook knows whether it is connecting from the Internet or internally.  For internal Outlook Anywhere, use a name that you don't publish to the Internet. 
For example, use mail.domain.com for everything except internal Outlook Anywhere, use mailinternal.domain.com.  Put mail.domain.com, mailinternal.domain.com and autodiscover.domain.com in the certificate.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Similar Messages

  • Is it possible to use single ssl certificate for multiple server farm with different FQDN?

    Hi
    We generated the CSR request for versign secure site pro certificate
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    SSL Certificate for cn=abc.com   considering abc.com as our major domain. now we have servers in this domain like    www.abc.com,   a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "
    And the same message when trying to access https://www.abc.com from Google Chrome.
    "This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"
    so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.
    Now my question is
    1. Is is possible to  remove above errors doing some ssl configuration on ACE?
    2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate  for CSR generated uisng cn =abc.com to be installed on ACE  and will be used  for all servers like  www.abc.com , a.abc.com etc..
    Thanks
    Waliullah

    If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate.  Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate.  And right now it won't beause your certificate is for abc.com.  You need a wildcard cert that will be for something like *.abc.com.
    Hope this helps,
    Sean

  • Certificate for Exchange 2013

    Hi
    Do I need to import certificate on mailbox servers

    Agree with Adam. You can go through below article series on managing certificates in Exchange 2013.
    Managing Certificates in Exchange Server 2013 (Part 1)
    Also check below...
    ---- One key difference between Exchange 2010 and Exchange 2013 is that the certificates that are used on the Exchange 2013 Mailbox server are self-signed certificates. Because all clients connect to an Exchange 2013 Mailbox server through an Exchange 2013
    Client Access server, the only certificates that you need to manage are those on the Client Access server. The Client Access server automatically trusts the self-signed certificate on the Mailbox server, so clients will not receive warnings about a self-signed
    certificate not being trusted, provided that the Client Access server has a non-self-signed certificate from either a Windows certification authority (CA) or a trusted third party. There are no tools or cmdlets available to manage self-signed certificates
    on the Mailbox server. After the server has been properly installed, you should never need to worry about the certificates on the Mailbox server. ---- Exchange 2013 certificate
    management UI
    Blog |
    Get Your Exchange Powershell Tip of the Day from here

  • Use public SSL certificate for WebAccess 8 on SLES10 Linux S

    Currently my WebAccess 8 server is running on NetWare. I want to move my WebAccess to SLES10 SP3 server and use public SSL certificate from third-party on SLES 10. I think this is just to get apache to use the public cert on SLES 10 Linux server and nothing to change on WebAccess, right?
    Thanks in advance.
    Wilson

    wilsonhandy wrote:
    > Currently my WebAccess 8 server is running on NetWare. I want to move
    > my WebAccess to SLES10 SP3 server and use public SSL certificate from
    > third-party on SLES 10. I think this is just to get apache to use the
    > public cert on SLES 10 Linux server and nothing to change on
    > WebAccess, right?
    Yeah, it's purely an Apache config. No need to do anything to
    WebAccess just to get SSL working.
    Novell Knowledge Partner
    Enhancement Requests: http://www.novell.com/rms

  • Use ssl certificate for Exchange Account

    Hello everyone!
    I have some problem with Exchange instance and iphones.
    I have Front server with client authentication via ssl certificates. How i can use this certificate on iphone to connect iphone to exchanges account?
    After few hours of googling i find only one solution here - http://www.msexchange.org/articles-tutorials/exchange-server-2010/mobility-clien t-access/configuring-certificate-based-authentication-exchange-2010-activesync-p art2.html
    In few words - it can be done with iPhone Configuration Utility
    Does this ONLY solution or i can import ssl cert directly to iphone?
    Thanks a lot for any help

    Hi bb9193, this will not be no short-term solution, but you might consider using a MDM-solution. With MDM it is possible to deinstall and reinstall the Exchange profile over the air, so your users will not need to do more than just reenter their Exchange password.
    Best regards,
    Detlev

  • Best practices for buying a digital certificate for Exchange 2013

    Good dayfriends,
    Could you indicateme which are the bestpractices when buying
    a public digital certificatefor use onExchangeServer 2013.
    I'd be interested in knowing your opinion about
    using wildcardor SAN certificates.
    Likewise what are the best recommendations
    to include names and why they should or
    should not include the internal FQDN
    of my servers.
    Currently I have an infrastructure that has two
    MailBox servers,two CAS servers and an EDGE
    2010 server, but I'm planning update it to Exchange 2013.
    I searched what are the best
    practices according to Microsoft but
    have found little information.
    I would appreciate
    if you can post links like
    Microsoft KBs and other technical documents that
    discuss the above mentioned.
    Thanking your
    invaluable support.
    Greetings.

    Hi,
    Personal suggestion, we can use two namespaces for your Exchange 2013:
    Autodiscover.domain.com (Used for autodiscover service)
    Mail.domain.com (used for all Exchange services external and internal URLs)
    Please pointed mail.domain.com and autodiscover.domain.com to your internet facing CAS 2013.
    For more information about Digital Certificates and SSL in Exchange 2013, please refer to the
    Digital Certificates Best Practices part in the following technet article:
    http://technet.microsoft.com/en-us/library/dd351044%28v=exchg.141%29.aspx?lc=1033
    Additionally, here are some other scenarios about certificate planning in Exchange 2013:
    http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx
    Regards,
    Winnie Liang
    TechNet Community Support

  • Use Homepage SSL certificate as exchange server certificate?

    the certicate needs to match the fully qualified domain name that you connect against.
    so if the web site uses www.domain.de and the echange server's OWA/Activesync is owa.domain.de it wont match and you'll get errors. However if the SSL cert is wildcard to *.domain.de you'll be OK.

    Hi there,
    im a little certificate dau
    i have a certificate for our homepage which certifies on "Domain123.de".
    Is it possible to use this certificate for our mail server? (exchange 2007)
    The mail domain is "[email protected]"
    Our AD Domain is "Domain456.local"
    I hope you can help me here.
    Heres some bacon to attract the pros
    This topic first appeared in the Spiceworks Community

  • Using existing SSL Certificate for Web Dispatcher

    Hi,
    We've registered a SSL certificate with wildcard option via GlobalSign. The history of this process is as below:
    1. We created a Certificate Request with IIS and send it to GS (GlobalSign).
    2. They send us the certificate file Globalsign Primary Secure Server CA and Globalsign Server Sign CA files.
    3. Import all ceritifcates into IIS and then exported the certificate into a Cert.pfx file.
    4. By using this file, we are able to import the SSL certificate into J2EE WAS 640  of Portal system.
    5. Now we want to use same certificate to establish a web dispatcher installation as intermediate server for internet access.
    Web Dispatcher documentations says to create a pse and req file with sapgenpse program and then send it to CA (here globalsign) to get a certificate.
    But when we asked GS, they told us to use the certificate they send us before. They cannot create a certificate file for the ourput of web dispatcher. It will be billed us if we persist.
    So, we have to find a way to use the existing certificate to enable SSL of Web Dispatcher.
    Any idea?

    Hi Huseyin,
    I also have the same scenario. We also want to use the same certificate from verisign for our webdispatcher.
    Do you know how to do. Can you help me.
    Thanks and Regards,
    Sailesh K

  • Wildcard certificate for Exchange 2013

    Hello!
    I have a testing network with Exchange 2013SP1 and Windows Server 2012R2 domain controller with CA installed.
    For testing purposes I issued a wildcard certificate for my Exch2013 from my local CA using Web server template and installed it on the Exchange server.
    Now when I open, for example, ecp or owa page I'm getting the error stating my certificate is wrong:
    Q1) Is Windows CA capable of issuing a wildcard certificates?
    Q2) If Q1=yes then what can be the cause of the problem?
    Thank you in advance,
    Michael

    Hi Michael,
    Please click Certificate error in IE to view the details about the error. If the error is related to untrusted certificate, please open Internet Explorer, click Settings > Internet Option > Content option > Certificate. In the
    Certificates dialog box, click the Trusted Root Certification Authorities
    tab and check if your certificate is in the list.
    If the certificate is not in the list, we can install the certificate in Trusted root certificate store by the following KB:
    http://support2.microsoft.com/kb/2006728
    If the error certificate is related to mismatch issue, please confirm if this certificate is assigned with IIS service. If not, please enable it with IIS service and restart IIS service to have a try. To double check about the Exchange certificate, we can
    run the following command to check it:
    Get-ExchangeCertificate | FL
    Regards,
    Winnie Liang
    TechNet Community Support

  • Configuring CA Certificate for Exchange 2013

    Hello,
    I have two exchange 2013 server running both CAS and MB roles which are also part of a DAG. To secure mail flow in and out of my organization, I am planning to implement reverse proxy in my DMZ. I can easily access my OWA using my DAG name. I wonder if I
    can configure my reverse proxy machine to access the cluster name/ip. I am also confused about configuring the certificate. Which one of my machines should be used to create the CSR?
    Pooriya Aghaalitari

    Hey David,
    I just got to learn about this after I sent the post. So I can create the certificate and import/export to other servers right? Thanks a lot man.
    Regards,
    Pooriya
    Pooriya Aghaalitari
    Yes. In fact, you want to make sure all the certs applied to the CAS are the same ( same thumbprint)
    Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

  • Upgrade SSL Certificate for Exchange Server

    Hi Folks,
    I need to upgrade the SSL certificate on my Exchange Server, so he can negotiate encryption and authorization to an upstream SMTP Smart Host.  This means that the certificate I need is not necessarily a server certificate, because in this scenario Exchange
    Server is acting as a client to the upstream SMTP Smart Host.  I have openssl at my disposal, so making the certificate in not a problem but installing it in the correct location and testing that I've done what I think I've done is.
    Thanks for the help,
    Chris.
    Thanks for the help,
    Chris.

    Hi,
    Please just make sure the primary certificate in your Exchange server with
    SMTP service is valid, trusted by your SMTP smart host.
    Thanks,
    Winnie Liang
    TechNet Community Support

  • Self Signed Certificate for Exchange 2013

     
    What's the draw back for using self sign certificate in production enviroment

    Hi,
    Based on my research, here are the disadvantages of self-signed certificate:
    1. The certificates aren’t trusted by other applications/operating systems. This may lead to authentications errors etc.
    Note: To overcome this limitation, some IT staff add the self-signed certificates to the Trusted Roots Certificate Authorities. However, using this workaround may to additional time that needed for management and troubleshooting.
    2. Self-signed certificates life time is usually 1 years. Before the year is ended, the certificate may need to renew/replace.
    3. Self-signed certificates may use low hash and cipher technologies. Due this, the security level that implemented by self-signed certificates may not satisfy the current Security Policy etc. .
    4. No support for advanced PKI (Public Key Infrastructure) functions (e.g. Online checking of the revocation list etc.).
    5. Most of the advanced feathers of the server side applications required to impended a PKI (Public Key Infrastructure). By this, self-signed certificates advantages cant be used.
    For more information, you can refer to the following article:
    http://blogs.microsoft.co.il/yuval14/2011/09/23/the-advantages-and-disadvantages-of-using-self-signed-certificates/
    Thanks,
    Angela Shi
    TechNet Community Support

  • New SSL certificate for Exchange, iPhones won't accept without delete/recreate of account on phone.

    Our Network Solutions security certificate was about to expire so we renewed it, however once it was installed on the Exchange 2007 server the phones would no longer connect.  How do you get the iPhones that are already connected to your Exchange server to recognize the new certificate?

    Hi bb9193, this will not be no short-term solution, but you might consider using a MDM-solution. With MDM it is possible to deinstall and reinstall the Exchange profile over the air, so your users will not need to do more than just reenter their Exchange password.
    Best regards,
    Detlev

  • Certificate Authority for Exchange 2013

    Dear,
    I will install exchange 2013, whether to install the Certificate Authority role also? 
    If it is necessary, to install this CA, is simply combined with ADDS server, Exchange Server or a separate server?
    Thanks

    Hi,
    As all above says, Exchange 2013 can use Self-signed Exchange certificate which is installed automatically after Exchange 2013 installation. But please note that this self-signed certificate would be not trusted for Exchange using.
    If your Exchange 2013 is not internet-facing, we can use the self-signed certificate in your internal domain environment. If you want to publish your Exchange 2013 to the internet and send/receive external mails, we need to have a valid and trusted certificate
    for Exchange using.
    To get trusted certificate, we can deployed an
    Enterprise root CA which self-signs its own CA certificate and uses Group Policy to publish that certificate to the Trusted Root Certification Authorities store of all servers and workstations in the domain. Or we can directly buy a third-party certificate
    for using.
    About where to install the CA, my personal suggestion is to install ADCS (Active Directory Certificate Services) on a standalone server. You can also install it with your DC. About how to install a
    Root Certification Authority, please refer to:
    http://technet.microsoft.com/en-us/library/cc731183.aspx
    Regards,
    Winnie Liang
    TechNet Community Support

  • Iplanet 6.0 creating a development SSL certificate for internal use

    With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
    Is there a tool to create my own SSL certificate for development work with iplanet 6.0?

    With IHS I can create my own SSL certificate when I want to do development work locally. I don't need to pay for a commercial one.
    Is there a tool to create my own SSL certificate for development work with iplanet 6.0?

Maybe you are looking for