Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Exchange 2010 and SSL certs
- Thread starter dpowell1
- Start date
No, especially if you're using split-brain DNS. Only one cert is needed, and it's generally a Subject Alternative Name (SAN) cert.
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
ShackDaddy
MIS
What I typically do is buy a multi-name cert from either Digicert (service) or GoDaddy (price) and put these names in it:
mail.domain.com (external FQDN people will use for activesync/owa)
autodiscover.domain.com
server.domain.local (internal FQDN)
server (internal netbios)
Make sure that the name you are going to use for external connections like Outlook Anywhere is the "common name" on the cert, usually the first name you list when you populate fields for cert names.
If you pay the same price for five names as four, add another name in there like mail2.domain.com so that if you ever need to stand up another server or do some testing, you can use the same certificate for that server without having to buy another one.
Dave Shackelford
ThirdTier.net
mail.domain.com (external FQDN people will use for activesync/owa)
autodiscover.domain.com
server.domain.local (internal FQDN)
server (internal netbios)
Make sure that the name you are going to use for external connections like Outlook Anywhere is the "common name" on the cert, usually the first name you list when you populate fields for cert names.
If you pay the same price for five names as four, add another name in there like mail2.domain.com so that if you ever need to stand up another server or do some testing, you can use the same certificate for that server without having to buy another one.
Dave Shackelford
ThirdTier.net
- Thread starter
- #4
I generally do just the OWA name, such as mail.domain.com, and the autodiscover name, autodiscover.domain.com. I prefer not to expose internal server names in the cert, and with split-brain DNS, it's not needed.
My MX records will generally point to the same external IP address as the OWA name, so the mail.domain.com will be used for SMTP, including TLS.
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
My MX records will generally point to the same external IP address as the OWA name, so the mail.domain.com will be used for SMTP, including TLS.
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
ShackDaddy
MIS
True, Pat. My summary doesn't apply to a split-brain environment, only to one with a private DNS suffix.
There are some significant benefits to using the same domain name internally and externally, but you have to "get" DNS to be able to set that up properly.
Dave Shackelford
ThirdTier.net
There are some significant benefits to using the same domain name internally and externally, but you have to "get" DNS to be able to set that up properly.
Dave Shackelford
ThirdTier.net
Also consider that putting internal server names in a cert is generally not recommended by some security engineers, since those names can be viewed.
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
- Status
Similar threads
- Locked
- Helpful tip
- Locked
- Question
