Exchange 2010 certificates

[PR.]

This is driving me mad!

Last year I just lost my patience and bought a wildcard ssl for our domain, it works quite well but Outlook throws up a prompt when it uses Autodiscover.

Now the cert is up for renewal I decided to get a UCC cert instead. However no matter how much I read I can't seem to get a definite answer on whether to include the internal FQDNs of the mailbox servers.

Running through the "New Exchange Certificate..." in the Exchange console and that seems to include internal names:

autodiscover.emaildomain1.com
autodiscover.emaildomain2.com
autodiscover.domain.com
emaildomain1.com
owa.domain.com
servername1.domain.com
servername2.domain.com
servername3.domain.com

 

[Burnsy2023]

Yes, you need internal FQDNs unless you want a certificate error internally.

 

[PR.]

Hurrah, thanks, certificate ordered!

 

[#Chri5#]

Sembee has a good blog on SSLs for Exchange 2007 / 10.

He recommends:

mail.example.com (this is the common name, the name that your MX records point to will be used for OWA,IMAP/POP3/SMTP and Exchange ActiveSync - plus it is the reverse DNS record on your static IP address)
autodiscover.example.com (self explanatory)
server.example.local (this is the Exchange server's real internal name)
server (this is the Exchange server's NETBIOS name).

 

[Burnsy2023]

I don't see the need for a NETBIOS name entry.

 

[PR.]

I didn't include the NETBIOS names in my cert and so far so good!

 

[brainchylde]

Depends if your users use the internal netbios name at all. If you have a server called "mail". then "https://mail/owa" for web access will kick an error without the netbios name.

 

[Burnsy2023]

Depends if your users use the internal netbios name at all. If you have a server called "mail". then "https://mail/owa" for web access will kick an error without the netbios name.

You could just redirect to the FQDN though.

 

[#Chri5#]

True, though a lot of UCC SSLs start at five names, so you might as well put it in.