I am trying to resolve ongoing certificate problems at a small company. It has one Exchange 2007 mailbox role server on a domain controller that also has a hub and cas role. We have one certificate, and it is not a UCC type. I believe all we have is mail.xxx.com. This does not match the name of our mail server, and as a result our internal clients are getting the error about the internal server name not matching our security certificate. The first thing I want to do is fix the errors. Can I do this by just generating a new certificate internally, or do I need to buy a UCC certificate? Obviously the current environment is not ideal. What I'd like to do is ultimately convert the environment into one where there are two exchange mailbox servers and two CAS/HUB dual role servers, neither of which will reside on a domain controller. I'd like to avoid buying a UCC certificate if possible. We have mail.xxxx.com registered for several more years. I'd like to use that for OWA, for SMTP external communications, and use internal certificates if I can to fix the current problem and for the new server builds. So is it possible to use internal certs on all servers, or do they require ones provided by NetSol/GoDaddy/etc? I also don't want to break anything with the certificate change. Thanks.

It is recommended to use a UCC cert with multiple names. But, there is a way to use a single name cert on a single server. See this article: http://www.amset.info/exchange/singlenamessl.aspTim Harrington - Catapult Systems - http://HowDoUC.blogspot.com

Is it OK if the single name cert does not match the single server's name? I appreciate the link and will give it a try. I thought I could just create certificates internally that would take care of the problem for the internal clients.

It is OK that it doesn't have the internal servername, the most important is the external name like yours has. If you follow the guide it will change the internal url on the exchange services, that means that all entries are to the mail.domain.com instead of specific server names. But that being said, the best option is really a UCC cert with multiple names, and they are not that expensive anymore. /Martin Exchange is a passion not just a collaboration software.

I guess that is what I'm confused by. I have found three possible solutions: 1) Split the DNS and make the changes as shown here: http://www.amset.info/exchange/singlenamessl.asp I'm not clear why I would need to split the DNS as opposed to just putting in an alias or other record. 2) Get a UCC certificate. My concern is breaking the website and other non-Exchange resources relying on the current certificates. 3) Creating new certificates with the CA. I'm not clear on why I can't do this, but it sounds like it would make the internal problem go away but could potentially break the external OWA users: http://blogs.microsoft.co.il/blogs/roneng/archive/2008/03/20/create-certificate-for-exchange-2007-servers-using-windows-ca.aspx I'm not sure which direction to go, and I appreciate all the help. I'd like to do this the right way and without breaking anything. We're also going to go to 2010 soon and I was thinking I could hold off until then as well.

Hi, If you purchase a new certificate now with UCC then in most cases (haven't heard of any problems) you can get the certificate reissued when you go to Exchange 2010 and then the money won't be wasted on the UCC certificate. It would definently be the way I would go, /MartinExchange is a passion not just a collaboration software.