Coexist Private SAN certificate with 3rd party verisign certificate together in same Exchange 2010 C

  • Thread starter Joe Tam
  • Start date Views 1,151
Status
Not open for further replies.
J

Joe Tam

Dear Sir,
Our customer is using exchange 2010 server which was configured to use private SAN certificate for client (OWA, Outlook Anywhere, push mail and office outlook), everything is working fine.
Now they would like to obtain single hostname public verisign certifcate for replace their existing certificate function for OWA web mail, such that boss / customer will not have security warning problem when using webmail in the public machine. But another function (outlook anywhere, push mail, office outlook) will be remained by using private SAN certificate.
Is it possible to coexist both certifcate or must it change all configuration from private SAN cert to single hostname certifcate ? (Because there are many changes in autodiscover setting),
If not, do the procedure is to remove private SAN certificate, then reconfigure it with single certificate setting ? Any document information of it ?

Joe
 
B

Busbar [MVP]

you will need to assign the CAS server another IP, create a website that works on that IP and configure OWA virtual directory on it and assign the SSL certificate to that website.

there is no way to assign 2 certs on the same website unless you use different port which will affect binding and make OWA not working

Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I post here: http://www.enowconsulting.com/ese/blog.asp, follow my blog: http://autodiscover.wordpress.com , corp blog: http://ingazat.wordpress.com, Follow me on twitter http://www.twitter.com/_busbar and if you Liked my post please mark it as helpful and accept it as an answer
 
S

Sembee [MVP]

The best option would be to use a single SAN/UC certificate. There are many other choices than Verisign's overpriced certificates for this task. GoDaddy are the cheapest source, Digicert certificates work well, both are more cost effective than Verisign.
If you attempt to add an additional web site to the server and add an additional certificate you will actually cause more problems because Outlook attempts to connect to the machine's FQDN, which will be registered with the internal DNS on both IP addresses. That will then generate SSL certificate warnings internally.

A single SAN/UC certificate is the best way to go here for a completely trouble-free deployment. Anything else will provide unpredictable results.

Simon.

Simon Butler, Exchange MVP
Blog | Exchange Resources
 
J

Joe Tam

Dear Busbar,
Thank you of your information, I understand that same website with same port number cannot be configured with 2 SSL certificate.

Dear Sembee,
Do you know that is there any SAN/UC certificate provider which can have trial SSL for testing?

Joe
 
S

Sembee [MVP]

I am not aware of any provider offering UC certificates for testing purposes.

Someone may suggest one of the free providers - FreeSSL or similar, but their trust level isn't that comprehensive meaning that they aren't much better than a self signed certificate.

Simon.

Simon Butler, Exchange MVP
Blog | Exchange Resources
 
B

Brian Day MCITP

Do you know that is there any SAN/UC certificate provider which can have trial SSL for testing?
Talk to a few vendors, some of them will refund your $ if you revoke the cert within a certain time period.Microsoft Premier Field Engineer, Exchange
MCSA 2000/2003, CCNA
MCITP: Enterprise Messaging Administrator 2010
Former Microsoft MVP, Exchange Server
My posts are provided "AS IS" with no guarantees, no warranties, and they confer no rights.
 
Status
Not open for further replies.
Top