I’m planning to introduce the first Exchange 2010 server to my Exch 2007 Organization. I’m planning on the SSL cert and I was wondering if I could get some feedback from you guys.
1. I understand that when the first Exchange 2010 CAS server is introduced in an existing Exchange 2007 Org, we may expect SSL certificate warnings, relating to the Autodiscover service as soon as the server is up and running. One way deal with this is to apply the appropriate SSL certificate to the new Exchange 2010 CAS serve. I was planning to purchase a new UCC (SAN) cert from our commercial Certificate Authority prior the introduction of the first Exch 2010 CAS server. I know I can generate the SSL request file from the new Exchange 2010 CAS server once it is setup; however after talking to the commercial Certificate Authority, I realized that the new SAN certificate could take up to 3 days to get issued (it could be faster but I’m not sure). I cannot afford to get these SSL certificate warnings for so long so I was wondering if I could generate the request from the current Exchange 2007 CAS server instead. Would that be any problem? If not, I could generate the new SAN certificate request from the Exchange 2007 CAS server, once I get the cert, then import it to Exchange 2007 (I already have SSL on the Exch 2007 server but need to add legacy.domain.com to it.). Then export the SAN cert from Exch 2007 (which will have the names I also need for the new Exch 2010 server) and have it ready so I can import the cert to the Exch 2010 as soon as it is up and running. Would that work ok?
2. Another aspect in regards to SSL certs is around the names to be included in the cert. I have read and seen on slides shown in Microsoft webcasts that machine hostnames should not be listed in the certs hostname list as the goal is to minimize the number of hostnames. However I’ve also seen in some sites and books that Admins include host server names in the SSL Certificate names
I guess that what is not clearly explained on the webcasts I’ve seen is the fact that if your Organization is implementing Split DNS (having an internal DNS zone that matches your external internet DNS), then you can also use the external DNS namespace (i.e mail.domain.com) to configure the internalURLs and therefore there is no need to include host server names (FQDN of CAS servers) in the SSL Certificate names. So bottom line, the Internal URLs will depend on whether or not you use Split DNS for the Exchange 2010 implementation, and that in turn, will determine whether or not it is necessary to include host server names in the SSL Certificate
If I use Split DNS, then I don’t have to include Exchange hostnames in the SSL cert and what I would have to do is change the internalURLs that by default references the FQDN of CAS server to use the external namespace (i.e. mail.contoso.com) following the instructions on this article: http://support.microsoft.com/kb/940726
Am I understanding this correctly?
3. Wildcard Certificate vs. SAN Certificates for Exchange 2010: I understand that Wildcard Certificates are supported by Exchange 2010 although the recommendation is to use SAN cert. Can someone share their experience when using Wildcard certs? We already have a Wildcard Certificate so it would be nice if we could use it for Exch 2010.
Thanks in advance!
FT
FT