question

jeffmcnabney-8287 avatar image
0 Votes"
jeffmcnabney-8287 asked AndyDavid commented

How does Exchange 2016 manage multiple SSL certificates and services?

Exchange 2016 installation has 5 certificates installed, 3 default (one self-signed), one cert from the onsite CA, and one SSL from an 3rd party CA. One default cert has no services assigned to it. The certificate from the onsite CA and the default EX self-signed certs have IIS,POP,IMAP and SMTP assigned. The cert from the external CA has only IMAP,POP and SMTP... but i need to put IIS on there for OWA and ActiveSync.

I'm not clear on how EXCH manages the certificates and the services assigned to them. My concern is that in the event there is an error with the namespace scheme on the 3rd party certificate or with the split DNS, and i assign the IIS to it, it will start spewing security errors with the OWA, outlook client and mobile devices. IIS is already assigned to 2 other certs as well, so how does it handle which one to use? Or does it reference all of them?

Historically, when the certificate from the onsite AD CA gets renewed, all the remote mobile devices indicate that there is a certificate error because they can't resolve back to the local site, which would indicate it's using the certificate from the local AD CA, not the EX self-signed one. So how does it determine which one to use if the same services are applied across multiple certs?

office-exchange-server-connectivity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid commented

IIS can only be assigned to one cert on the Front End.

The "Microsoft Exchange" self-signed certificate is assigned to IIS on the Back End Web Site.




· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Good to know. Then if i assign IIS to the 3rd part cert, it will move the service from the onsite cert to the 3rd party cert. If it arises that there are some issues, i can move the service back to the onsite cert?

And the pop/imap/smtp services are still applied to both the onsite ca and 3rd party ca. This is ok?

0 Votes 0 ·
AndyDavid avatar image AndyDavid jeffmcnabney-8287 ·

Correct, if you assign IIS to one cert, you can re-assign it another and re-assign if there are any issues. Its like a toggle.

The other services are ok applied to both, though POP and IMAP should only be applied to one cert at a time really.



0 Votes 0 ·