Exchange 2007: Multi-Domain Certificate SANs
What Subject Alternate Names (SANs) Should I Include in an Exchange 2007 Certificate?
You need to include any name that is used to access the Exchange 2007 server. Make sure to include only the external fully qualified domain names, (e.g., owa.domain.com).
Internal Names Note: You can no longer include internal names/reserved IP address in your certificates. All publicly trusted SSL Certificates issued to internal names and reserved IP addresses will expire before November 1, 2015. See SSL Certificates for Internal Server Names.
Tips
Though we can't tell you exactly what to put in your certificate, below are some things to keep in mind:
-
The most important thing to remember is that if you do make a mistake, fixing the problem is simple. All you have to do is reissue the certificate.
You can do this at any point and can modify your names at no extra cost. Note that adding more names than the base four that come with the certificate only costs what you paid to add them.
-
Include only the external fully qualified domain names of your Exchange CAS server(s) (e.g., owa.domain.com).
-
If you are using autodiscover, make sure you include an entry for autodiscovery. Note that the autodiscover service uses autodiscover.domain.com by default.
-
If you use the same URL for OWA, Activesync, or any other service on the Exchange 2007 server and only have one CAS server, you do not need to take any extra steps.
However, if this is not the case, review the following lines:
-
If you are using different URLs, make sure to include entries for those as well.
-
If you are using more than one CAS server, make sure to include the internal fully qualified domain name of every CAS server that is involved.
-
Once you know what names you need to use in your certificate, we recommend using our Exchange 2007 CSR Wizard to create your CSR.