we have exchange 2013 standard and Lync 2013 standard deployment. currently we are using *.xyz wild card certificate for exchange and Lync. Now we would like to procure UC SAN certificate. Please help me to understand :

1) Is it require to have 2 different certificate for exchange & Lync or Single with multiple SAN will work?

2) what SAN and CN entry require for Exchange in single certificate(single certificate for Lync & Exchage)? 

3) what SAN and CN entry require for Lync in single certificate (single certificate for Lync & Exchage) ?

4) what kind of SAN and CN entry in exchange and LYNC in separate certificate.?

Hi 

You can use Single certificate for Both Lync and Exchange

1. Front-End Server Private Certificate
CN: lyncservername.domain.local
SAN: sip.sipdomain.com, meet.sipdomain.com, dialin.sipdomain.com, admin.sipdomain.com, webinternal.sipdomain.com

2. Edge Internal Private Certificate
CN: edgeservername.domain.local

3. Edge External Public Certificate
CN: sip.sipdomain.com
SAN: sip.sipdomain.com, webconf.sipdomain.com

4. Reverse Proxy External Public Certificate
CN: webexternal.sipdomain.com
SAN: webexternal.sipdomain.com, meet.sipdomain.com, dialin.sipdomain.com

http://lyncuc.blogspot.nl/2013/06/lync-certificate-planning-and.html

Check this link for Certificate requirements

http://technet.microsoft.com/en-us/library/gg398094.aspx

Check this thread for Excahnge

http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx

http://social.technet.microsoft.com/Forums/exchange/en-US/e85a1f68-e50c-4510-9e72-0505d7481ee5/san-entries-for-exchange-2010-certificate

Thanks for your reply.

Actually i would like to know, whether single UC SAN certificate with multiple SAN entry like as below :

CN :- contoso.com

SAN :

Autodiscover.contoso.com 

xyz.contoso.com (host name of exchage)

mail.contoso.com (user for owa)

abc.contoso.com (hostname of Lync)

meet.contoso.com

dialin.contoso.com

lyncdiscover.contoso.com

sip.contoso.com

so i would like to know, whether UC SAN with 1 Domain & 10 SAN will work here with exchange & lync deploy on 2 different host.

Actually, you can approach this another way. According this article http://technet.microsoft.com/en-us/library/hh202161.aspx ,you can use one wildcard certificate on both Exchange and Lync web services PUBLIC infrastructure (assuming you also publish Exchange with Reverse Proxy). For the Edge, since wildcard is not supported (and I see you use single public IP address), single certificate with CN=sip.domain.com will be sufficient.

You can get completely free public certificate from StartSSL https://www.startssl.com for your Edge. Look also the option for "Class 2". I have used them in the past and had no issues with federation or exchange service whatsoever.

.

Drago