SSL for Exchange 2007
I have some questions regarding the correct setup for SSL for Exchange Server 2007. The Setup program in Exchange Server 2007 creates a default self-signed certificate when Exchange Server 2007 is installed. My email domain is mba.company.com (EMAIL GONE) and the OWA website is mail.branch.company.com. Right now, I have a wildcard SSL in IIS for *.company.com that I am using for OWA and people can log into OWA without a problem. 1. Will it be a problem for me to also have a SSL for mba.company.com? 2. Am I correct in thinking that the SSL for mba.company.com would replace the self-signed SSL that was created when Exchange was installed?Any insight you can give would be very much appreciated!Thanks!
October 16th, 2009 10:28pm

Well, one cert per IIS Site. So, if you have a cert applied to an Exchange site you can't apply another cert for it. You could set up mutliple owa sites for your environment if you need to have different url access etc, more info: http://msexchangeteam.com/archive/2008/01/07/447828.aspx With the wild card cert it will provide access for all domains.The trick is with Active sync and OLA, Wild Card Certs won't play nice with those. You'd probably be better off going with a SAN cert. and Technically you want to replace the self signed Cert. Best bet is public if private cert. Most configuration I do will involved an ISA server in the DMZ with a public cert and then a internal Cert for the connection between ISA and the CAS server. But yes, replace the self signed sll cert created by exchange, it's only good for one year. ;)some good info on certs:More on Exchange 2007 and certificates - with real world scenario http://msexchangeteam.com/archive/2007/07/02/445698.aspxExchange 2007 Autodiscover and certificates http://msexchangeteam.com/archive/2007/04/30/438249.aspxSF - MCITP:EMA, MCTS: MOSS 2007, OCS 2007, Exchange 2007 -- http://www.scottfeltmann.com
Free Windows Admin Tool Kit Click here and download it now
October 16th, 2009 10:51pm

Windows Mobile 6.0 and later support wildcard certs. Outlook Anywhere does support wildcard as long as you run the Set-OutlookProvider to set the MSSTD:*.domain.com. More information about Outlook Anywhere here . As for the self-signed certificate only being good for 1 year, SP2 changed that to 5 years.MVP | MCSE:M | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net
October 16th, 2009 11:27pm

Thank's Elan, that's good to know!SF - MCITP:EMA, MCTS: MOSS 2007, OCS 2007, Exchange 2007 -- http://www.scottfeltmann.com
Free Windows Admin Tool Kit Click here and download it now
October 16th, 2009 11:30pm

Thank you for your replies. Now I have a couple of followup questions:I can keep the wildcard certificate for *branch.company.com for the OWA website in IIS. 1. However,should I create another website in IIS for all of the other Exchange functionality, like autodiscover/POP/IMAP?What type of SSL cert would this site need,a renewal of the self signed SSLor a SSL for my email domain, @mba.company.com?But does the self-signed SSLdo the same thing that the SSL cert for my email domain, @mba.company.com?I am confused as to what kind of SSLs I need. I am getting the following type error messages on my Exchange server.event message #1 - "Microsoft Exchange couldn't find a certificate that contains the domain name mba.company.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector outgoing email with a FQDN parameter of mba.company.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.event message #2 - The STARTTLS certificate will expire soon: subject: servername.ad.company.com, hours remaining: 990B7D2F990179D3ADF999D44562C3481BA2BBC0. Run the New-ExchangeCertificate cmdlet to create a new certificate.2. I have not installed Exchange 2007 SP2 yet. According to Elan, SP2 changes it the validity of the SSL from 1 year to 5 years. So if I upgrade to SP2, will that take care of this issue of renewing the self-signed SSL?
October 19th, 2009 4:43pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics