Microsoft Exchange and Blackberry Server Specialists

Exchange 2010 SSL Certificates

On this Page

  • Introduction
  • What are SSL Certificates Used for with Exchange?
  • SSL Certificate Considerations
  • Certificate Types
  • Host Names
  • Requesting, Installing and Enabling SSL Certificates

Introduction

As with Exchange 2007, SSL certificates are very important for the operation of Exchange 2010, and are a major pain point for Exchange administrators.

The self signed SSL certificate that is installed with Exchange 2010 should be considered a place holder, only used until you can get a commercial signed SSL certificate in place. Furthermore it isn't supported for use with Outlook Anywhere or ActiveSync.

What are SSL Certificates Used for with Exchange?

The SSL certificate is used in a number of places:

  • Outlook Web Access, Outlook Mobile Access
    The web browser interface for Exchange.
  • ActiveSync
    The mobile synchronisation method
  • Web Services
    This is mainly used by Mac Clients
  • Autodiscover
    Used by Outlook 2007 and higher for configuration information. This is also tells Outlook where the availability service is, so without Autodiscover working correctly, Free/Busy information and Out of the Office may not work correctly.
  • SMTP Traffic
    Exchange 2010 supports opportunist TLS, which means that if both servers support it, the email will be transferred using TLS.

During a migration, it is also common to include the "legacy" host name in the SSL request and use the same SSL certificate for both the new and old deployment.

SSL Certificate Considerations

For any certificates that expire after November 1st 2015,  the SSL issuing guidelines will change, meaning that you need to take particular care with the internal DNS configuration.
In the past, you could include the server's real name with the SSL certificate request. Internal only names (such as host.local) will no longer be permitted on SSL certificates from commercial providers, which means a split DNS system is required.

Certificate Types

SSL certificates used with Exchange come in three main types.

  1. Standard, or single name SSL certificates.
    These will be the cheapest kind, and will cover just one host name - host.example.com.
    However to use them you will have to support SRV records in your external DNS so that you can setup Autodiscover records.
  2. Wildcard SSL certificates.
    These allow any host name in a certain domain to be used - they are in the format of *.example.com.
    Not usually advised with Exchange servers as they can cause problems with ActiveSync and Outlook Anywhere.
  3. Unified Communications (UC or UCC) or Subject Alternative Name (SAN) Certificates.
    These are the preferred type of SSL certificates for Exchange. They allow multiple host names to be accessed by the same SSL certificate on the same site. Not to be confused with wildcard certificates, as specific host names are listed. Furthermore, these host names do not have to be in the same domain name - for example you could include autodiscover.example.com and autodiscover.example.co.uk.

SSL providers charge in different ways for the different certificates. Watch for charges for additional host names and for additional server installations.
Our provider - https://certificatesforexchange.com/ does not charge for additional server installations and sells the UCC type in blocks of five host names.

Host Names

On a single server deployment, your SSL request can be just two host names:

  • host.example.com
    This is your common name, and would be used by everything in the list.
  • autodiscover.example.com
    This is the autodiscover host name, and is one of the addresses queried by Outlook 2007 and higher automatically.

You do not, and should not include the RPC CAS Array host name. The RPC CAS Array host name should be a unique name that does not resolve externally.

Requesting, Installing and Enabling SSL Certificates