0

Is anyone using a Wildcard Cert with Exchange 2010 please?

We currently have a bunch of individual whatever.domain.com SSL certificates and as several are expiring soon it would be an ideal opportunity to move to a wildcard certificate.

At some point though we will be moving from Exchange 2003 to Exchange 2010, and I've read conflicting reports over whether wildcard certs work with Exchange 2010 as many guides seem to recommend a UCC/SAN certificate.

Our internal DNS domain name is the same as our external domain name.

Godaddy look like good VFM given they allow use on unlimited physical servers.

Thanks in advance.

flooble
  • 2,364
  • 7
  • 28
  • 32
  • Be appreciative for any additional comments/feedback. The Digicert Wildcard Certs with SANs look the most compatible but are pretty expensive vs. a Godaddy Wildcard SSL, or even a combination of a Godaddy Wildcard SSL and a separate SAN/UCC cert for the Exchange box. – flooble Oct 12 '10 at 16:30

4 Answers4

2

Certs and exchange 2010 are a headache from what I've seen so far.

We have 2010 in the lab right now and think we will be able to get away with a wildcard SSL cert for device access from the internet, and then an Enterprise CA signed machine cert (Issued by ADCS), for each 2010 server for internal access.

We are using TMG 2010 as an edge transport server, so the SSL cert will sit on there, then the connection between TMG and Ex2010 CAS will be inside the domain, so secured by the Enterprise CA.

Only got this working this morning, but I think that will work. If your CAS is handling connections from the internet then ymmv. I'll be watching this question though!

Robbo
  • 69
  • 3
  • Initially I suspect we'll have a single box running CAS/Mailbox roles, which we'll then expand out to add some DAG redundancy - early days and I've not really done much Exchange 2010 planning/digging yet as it's the "little things" like SSL certs that seem to be the most troublesome. – flooble Jun 18 '10 at 16:22
2

Wildcards and UC certificate were meant to accomplish 2 different things. If you have multiple domains and you are using Exchange server, then UC certificates are the way to go. If you only have differing subdomains, then wildcards will work, but this is the exception. Most of our clients at ssl.com have a number of domain names including internal server names so uc (or SANS) certificates are the most commonly chosen ones. Also note that you can embed wildcards in ucc if you need the flexibility of both.

As for value of each type, each customer must derive that for themselves. Where one customer may think it's a ripoff, another may find that it saves countless hours in ssl management time. You decide.

Leo Grove
  • 59
  • 4
1

The only real issue we've had so far is with certain Outlook clients. We basically had to add a setting to specify the cert and it worked:

http://technet.microsoft.com/en-us/library/cc535023(EXCHG.80).aspx

It seems that autodiscover would set the cert name to blah.domain.com and Outlook complains since it doesn't match *.domain.com. If you set the above in the Outlook client manually, it goes through. Note - we have not completed our migration yet from Exch 2003 so we might run into more issues. This is the only one so far though.

Chachi
  • 13
  • 6
0

wildcard ssl certificate - exchange 2010 - POP/IMAP problem

Exchange Certificates Don't Match Up

May be the above links might help

Community
  • 1
Mutahir
  • 2,347
  • 2
  • 32
  • 42
  • 1
    They do thanks, but I've not yet seen a satisfactory explanation of *exactly* when/why you may need a dedicated UCC/SAN cert for Exchange 2010 over a wildcard cert. It almost seems to be lots of cases of "We couldn't get a wildcard to work, we got a UCC/SAN and it started working". – flooble Jun 18 '10 at 16:21
  • You can go with a ucc / san when you are certain of your domain names. If you are a service provider then one should use a wildcard certificate. Microsoft Exchange Online uses a wildcard certificate. – Mutahir Jun 28 '10 at 08:17