Share via

Exchange Certificate Renewal Subject Alternative Name settings

jeff mcnabney 301 Reputation points
2020-11-30T19:35:02.493+00:00

Exchange 2016 services are configured with a certificate from local AD CA, but the time has come to replace it with a branded certificate, comodo, thawte, etc. There are three domains on this server that can receive mail, and the existing certificate matches them all...

-domain1.com
-domain2.com
and then the local AD one
-domain1.local

There are SAN on each domain, including the autodiscover's and the hostname for the local server.

What kind of certificate do i require to meet all these wildcard scenarios... just ignore the wildcards and get one that allow me to add Subject Alternative Names for each domain, or should i look for one that includes a mix of multiple domains and wildcards on each of those domains?

Does it need to include the autodiscover fqdn's and the local hostname, or can i reduce this list?

Exchange | Exchange Server | Management
0 comments
Accepted answer
  1. Andy David - MVP 157.8K Reputation points
    2020-11-30T19:47:17.93+00:00

    I would get a SAN cert and include all the required FQDNs as subject names.
    Required meaning its a defined end-point for clients.If you set all the virtual directories to the same FQDN plus the virtual dierctory name, then all you need is that one subject name plus the autodiscover subject names. Also include any aliases if you use them.

    You should include autodiscover.<domain> for each SMTP domain that is set as potential primary Reply address for an account.
    You dont need the local hostname unless for some reason, internal users connect to that as a client endpoint.
    If you are using split DNS, that would eliminate the need for the .local as a subject name.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lucas Liu-MSFT 6,191 Reputation points
    2020-12-01T05:39:14.157+00:00

    Hi @jeff mcnabney ,
    I agree with what Andy said. It’s recommend you using the SAN certificate. You could add a list of multiple host names in the certificate’s Subject Alternative Name. For the minimum host name contained in the certificate used in Exchange, it’s must contain the mail.domain.com and autodiscover.contoso.com. So the certificate need to include the Autodiscover FQDN.
    You could refer the "Best Practices for Exchange certificates" provide by Microsoft: Best practices for Exchange certificates

    ----------

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.