question

FNULNU-6818 avatar image
0 Votes"
FNULNU-6818 asked AndyDavid answered

Multiple certificates on Exchange 2019 server

At the moment, one servtificate has been installed, which contains all domain names for the excahgne server and for other services using this certificate.

We would like to simplify this certificate and issue a cheaper one.

The server now has a certificate for the following domain names:

smtp.domainA.com
mail.domainA.com
autodiscover.domainA.com
exchange01.domainA.com

siteA.domainA.com
siteB.domainA.com
siteC.domainA.com
othersiteA.domainA.com
othersiteB.domainA.com
othersiteC.domainA.com

autodiscover.domainB.com this is SRV record -> mail.domainB.com
mail.domainB.com this is CNAME record -> mail.domainA.com

autodiscover.domainC.com this is SRV record -> mail.domainC.com
mail.domainC.com this is CNAME record -> mail.domainA.com

autodiscover.domainD.com this is SRV record -> mail.domainD.com
mail.domainD.com this is CNAME record -> mail.domainA.com

So there is no sense to have such a certificate, if I'm right, one wilecard *.domainA.com certificate will be enough.

Hmm, users will get an error like untrusted cetificate becouse it will not contain autodiscover.domain Bcom, autodiscover.domain.com, autodiscover.domainD.com :( what can I do in this case?

Thank you.





office-exchange-server-administrationoffice-exchange-server-mailflowoffice-exchange-server-connectivity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
2 Votes"
AndyDavid answered FNULNU-6818 commented

Its just one certificate, some Cert Authorities issue those.
I wouldnt do that though. I would just have a regular SAS Certificate with the all the subject names needed.

You probably dont need:

smtp.domainA.com ( You can set the connector FQDNs to mail.domaina.com

and you probably dont need:

exchange01.domainA.com




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you.

Yes, that's what I thought.
1) One multi-domain certificate for Exchange with names
mail.domainA.com
mail.domain.com
mail.domainA.com
mail.domainA.com

change the autodecover url so it looked like mail.domainA.com/autodiscover and take away smtp.domainA.com, exchange01.domainA.com ...

It turns out 4 names, multi-domain allows 3 free names ~400$ + 49 $ for each subject one. This cert for exchange only.

2) Separate wildecard certificate for other services. I don`t known how many names there will be in future, it is better to issue one certificate for all * .domainA.com ~450$ (not for exchange)

3) The client's current certificate is EV. As I found out, EV cannot be a wildecard, so if customer really needs such a certificate, he can issue it additionally for his site mainsite.domainA.com or use the same wildecard if he don`t need EV cert.

Looks good?

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered FNULNU-6818 commented

That wont work.
You need a cert with subject names that cover:

Clients will connect to the CNAMEs.


mail.domainB.com
mail.domainC.com
mail.domainD.com

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered FNULNU-6818 edited

If the autodiscover record is:
mail.domainB.com/autodiscover
mail.domainC.com/autodiscover
mail.domainD.com/autodiscover

then you need

mail.domainB.com
mail.domainC.com
mail.domainD.com

I would also add the domainA.com records if they are needed
You can have a Wildcard + SAN Certificate, but that may be pretty expensive

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes, I need and must to add domainA.com this is the main domain name for Exchange.
But how can I add more then one certificate on one server. Wildcard + SAN - it will be two certificatec and there is no way to add to one Exchange server.


It is not possible to specify your own certificate for each virtual directory URL. For example *.domainA.com for mail.domainA.com and add another certificate to for other names B, C ,D.
or I'm wrong

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered

Yes, I would go wit that :)

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.