混合部署的证书要求Certificate requirements for hybrid deployments

在混合部署中,数字证书是保护内部部署 Exchange 组织和 Office 365 之间通信的重要部分。证书允许每个 Exchange 组织信任另一个组织的身份。证书还有助确保每个 Exchange 组织与正确的源通信。In a hybrid deployment, digital certificates are an important part of securing the communication between the on-premises Exchange organization and Office 365. Certificates enable each Exchange organization to trust the identity of another. Certificates also help to ensure that each Exchange organization is communicating to the right source.

在混合部署中,许多服务都使用证书:In a hybrid deployment, many services make use of certificates:

  • Azure Active Directory Connect (AZURE AD connect) 与 Active Directory 联合身份验证服务 (AD FS): 如果你选择在混合部署中部署 Azure ad CONNECT 与 AD FS, 则由受信任的第三方证书颁发机构颁发的证书。(CA) 用于在 web 客户端和联合服务器代理之间建立信任, 以对安全令牌进行签名以及解密安全令牌。Azure Active Directory Connect (Azure AD Connect) with Active Directory Federation Services (AD FS): If you choose to deploy Azure AD Connect with AD FS as part of your hybrid deployment, a certificate issued by a trusted third-party certificate authority (CA) is used to establish a trust between web clients and federation server proxies, to sign security tokens, and to decrypt security tokens.

    有关更多信息,请参阅证书Learn more at Certificates.

  • Exchange 联合身份验证: 自签名证书用于在内部部署 Exchange 服务器和 Azure Active Directory 身份验证系统之间创建安全连接。Exchange federation: A self-signed certificate is used to create a secure connection between the on-premises Exchange servers and the Azure Active Directory authentication system.

    有关详细信息,请参阅 Understanding Federated DelegationLearn more at Understanding Federated Delegation.

  • Exchange 服务: 受信任的第三方 CA 颁发的证书用于帮助保护 Exchange 服务器和客户端之间的安全套接字层 (SSL) 通信。Exchange services: Certificates issued by a trusted third-party CA are used to help secure Secure Sockets Layer (SSL) communication between Exchange servers and clients. 使用证书的服务包括 Web 上的 Outlook、Exchange ActiveSync、Outlook Anywhere 和安全邮件传输。Services that use certificates include Outlook on the web, Exchange ActiveSync, Outlook Anywhere, and secure message transport.

  • 现有的 exchange 服务器: 现有的 exchange 服务器可能使用证书, 以帮助保护 Outlook 在 web 通信、邮件传输等方面的安全。Existing Exchange servers: Your existing Exchange servers may make use of certificates to help secure Outlook on the web communication, message transport, and so on. 根据在 Exchange 服务器上使用证书的方式,可以使用自签名证书或受信任第三方 CA 颁发的证书。Depending on how you use certificates on your Exchange servers, you might use self-signed certificates or certificates issued by a trusted third-party CA.

混合部署的证书要求Certificate requirements for a hybrid deployment

当配置混合部署时,您必须使用和配置从受信任的第三方 CA 购买的证书。必须在所有内部部署邮箱(Exchange 2016 及更高版本)、邮箱和客户端访问(Exchange 2013 及之前版本)服务器上安装用于混合安全邮件传输的证书。When configuring a hybrid deployment, you must use and configure certificates that you have purchased from a trusted third-party CA. The certificate used for hybrid secure mail transport must be installed on all on-premises Mailbox (Exchange 2016 and newer), and Mailbox and Client Access (Exchange 2013 and older) servers.

重要

如果在多个 Active Directory 林中都部署了 Exchange 服务器的组织中配置混合部署,必须对每个 Active Directory 林使用单独的第三方 CA 证书。If you're configuring a hybrid deployment in an organization that has Exchange servers deployed in multiple Active Directory forests, you must use a separate third-party CA certificate for each Active Directory forest.

当在本地组织中部署 Exchange 边缘传输服务器时,此证书还必须安装在所有边缘传输服务器上。每个传输服务器必须使用共享相同颁发 CA 和相同主题的证书,以便混合安全邮件正常运行。When Exchange Edge Transport servers are deployed in an on-premises organization, this certificate must also be installed on all Edge Transport servers. Each transport server must use a certificate that shares the same issuing CA and the same subject for hybrid secure mail to function correctly.

多种服务,如 AD FS、Exchange联合身份验证、服务和Exchange,各自都需要证书。根据组织,可以决定执行以下操作之一:Multiple services, such as AD FS, Exchange federation, services, and Exchange, each require certificates. Depending on your organization, you may decide to do one of the following:

  • 跨多个服务器使用由所有服务使用的第三方证书。Use a third-party certificate that's used by all services across multiple servers.

  • 对提供服务的每部服务器使用第三方证书。Use a third-party certificate for each server that provides services.

是选择对所有服务使用相同证书还是对每种服务使用专用证书,取决于您的组织和要实现的服务。下面是针对每个选项需要考虑的一些事项:Whether you choose to use the same certificate for all services or dedicate a certificate for each service depends on your organization and the service you're implementing. Here are some things to consider about each option:

  • 跨多个服务器的第三方证书: 在多个服务器之间的服务使用的第三方证书可能会略有不同, 但它们可能会使续订和替换变得复杂。Third-party certificate across multiple servers: Third-party certificates that are used by services across multiple servers may be slightly cheaper to obtain, but they may complicate renewal and replacement. 出现这种复杂性是因为:当证书需要替换时,您需要在安装证书的每部服务器上都替换证书。The complication occurs because, when a certificate needs replacement, you need to replace the certificate on every server where it's installed.

  • 每个服务器的第三方证书: 对承载服务的每台服务器使用专用证书, 可以为该服务器上的服务专门配置证书。Third-party certificate for each server: Using a dedicated certificate for each server that hosts services allows you to configure the certificate specifically for the services on that server. 如果需要替换证书或续订证书,则只需在安装服务的服务器上进行替换。If you need to replace the certificate or renew it, you only need to replace it on the server where the services are installed. 其他服务器不会受到影响。Other servers aren't impacted.

建议您对任何可选 AD FS 服务器使用专用第三方证书,对混合部署的 Exchange 服务使用另一个证书,并对其他所需服务或功能的 Exchange 服务器使用另一个证书(如果需要)。默认情况下,在混合部署联合共享中配置的内部部署联合信任使用自签名证书。除非您有特定要求,否则无需对混合部署中配置的联合身份验证信任使用第三方证书。We recommend that you use a dedicated third-party certificate for any optional AD FS server, another certificate for the Exchange services for your hybrid deployment, and if needed, another certificate on your Exchange servers for other needed services or features. The on-premises federation trust configured as part of federated sharing in a hybrid deployment uses a self-signed certificate by default. Unless you have specific requirements, there's no need to use a third-party certificate with the federation trust configured as part of a hybrid deployment.

安装在单个服务器上的服务可能需要您为该服务器配置多个完全限定域名 (FQDN)。应该购买允许使用最大所需 FQDN 数目的证书。证书包含主题(也称为主体名称)以及一个或多个主题备用名称 (SAN)。主题名称是向其颁发证书的 FQDN,并应该使用在内部部署与 Exchange Online 组织之间共享的主 SMTP 域。SAN 是除了主题名称之外,可以添加到证书的其他 FQDN。如果需要证书支持五个 FQDN,请购买允许向证书添加五个域的证书:一个主题名称和四个 SAN。The services that are installed on a single server may require that you configure multiple fully qualified domain names (FQDNs) for the server. You should purchase a certificate that allows for the maximum required number of FQDNs. Certificates consist of the subject (also called a principal name) and one or more subject alternative names (SAN). The subject name is the FQDN that the certificate is issued to and should use the primary SMTP domain that is shared between the on-premises and Exchange Online organizations. SANs are additional FQDNs that can be added to a certificate in addition to the subject name. If you need a certificate to support five FQDNs, purchase a certificate that allows for five domains to be added to the certificate: one subject name and four SANs.

下表概括了在混合部署中使用的配置证书应包括的最小建议 FQDN。The following table outlines the minimum suggested FQDNs that should be included on certificates configured for use in a hybrid deployment.

服务Service 建议的 FQDNSuggested FQDN 字段Field
主要共享 SMTP 域Primary shared SMTP domain contoso.comcontoso.com 使用者名称Subject name
自动发现Autodiscover 与 Exchange 2013 客户端访问服务器的外部自动发现 FQDN 相匹配的标签,如 autodiscover.contoso.comLabel that matches the external Autodiscover FQDN of your Exchange 2013 Client Access server, such as autodiscover.contoso.com 使用者替代名称Subject alternative name
传输Transport 与边缘传输服务器的外部 FQDN 匹配的标签,如 edge.contoso.comLabel that matches the external FQDN of your Edge Transport servers, such as edge.contoso.com 使用者替代名称Subject alternative name