This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 21%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFL%3C/text%3E%3C/svg%3E)
At the moment, one servtificate has been installed, which contains all domain names for the excahgne server and for other services using this certificate.
We would like to simplify this certificate and issue a cheaper one.
The server now has a certificate for the following domain names:
smtp.domainA.com
mail.domainA.com
autodiscover.domainA.com
exchange01.domainA.com
siteA.domainA.com
siteB.domainA.com
siteC.domainA.com
othersiteA.domainA.com
othersiteB.domainA.com
othersiteC.domainA.com
autodiscover.domainB.com this is SRV record -> mail.domainB.com
mail.domainB.com this is CNAME record -> mail.domainA.com
autodiscover.domainC.com this is SRV record -> mail.domainC.com
mail.domainC.com this is CNAME record -> mail.domainA.com
autodiscover.domainD.com this is SRV record -> mail.domainD.com
mail.domainD.com this is CNAME record -> mail.domainA.com
So there is no sense to have such a certificate, if I'm right, one wilecard *.domainA.com certificate will be enough.
Hmm, users will get an error like untrusted cetificate becouse it will not contain autodiscover.domain Bcom, autodiscover.domain.com, autodiscover.domainD.com :( what can I do in this case?
Thank you.
Its just one certificate, some Cert Authorities issue those.
I wouldnt do that though. I would just have a regular SAS Certificate with the all the subject names needed.
You probably dont need:
smtp.domainA.com ( You can set the connector FQDNs to mail.domaina.com
and you probably dont need:
exchange01.domainA.com
Thank you.
Yes, that's what I thought.
change the autodecover url so it looked like mail.domainA.com/autodiscover and take away smtp.domainA.com, exchange01.domainA.com ...
It turns out 4 names, multi-domain allows 3 free names ~400$ + 49 $ for each subject one. This cert for exchange only.
2) Separate wildecard certificate for other services. I don`t known how many names there will be in future, it is better to issue one certificate for all * .domainA.com ~450$ (not for exchange)
3) The client's current certificate is EV. As I found out, EV cannot be a wildecard, so if customer really needs such a certificate, he can issue it additionally for his site mainsite.domainA.com or use the same wildecard if he don`t need EV cert.
Looks good?
That wont work.
You need a cert with subject names that cover:
Clients will connect to the CNAMEs.
mail.domainB.com
mail.domainC.com
mail.domainD.com
Thank you
You mean that this name needs to be included in the certificate:
autodiscover.domainB.com
autodiscover.domainC.com
autodiscover.domainD.com
and
mail.domainB.com
mail.domainC.com
mail.domainD.com
So, the certificate must contain a wildecard *.domainA.com name and six subjects mail.domainB.com, mail.domainC.com, mail.domainD.com, autodiscover.domainB.com, autodiscover.domainC.com, autodiscover.domainD.com
OR this way for example:
mail.domainB.com
mail.domainC.com
mail.domainD.com
if autodecover url will be like
mail.domainB.com/autodiscover
mail.domainC.com/autodiscover
mail.domainD.com/autodiscover
So, the certificate must contain a wildecard *.domainA.com name and three subjects mail.domainB.com, mail.domainC.com, mail.domainD.com
If the autodiscover record is:
mail.domainB.com/autodiscover
mail.domainC.com/autodiscover
mail.domainD.com/autodiscover
then you need
mail.domainB.com
mail.domainC.com
mail.domainD.com
I would also add the domainA.com records if they are needed
You can have a Wildcard + SAN Certificate, but that may be pretty expensive
Yes, I need and must to add domainA.com this is the main domain name for Exchange.
But how can I add more then one certificate on one server. Wildcard + SAN - it will be two certificatec and there is no way to add to one Exchange server.
It is not possible to specify your own certificate for each virtual directory URL. For example *.domainA.com for mail.domainA.com and add another certificate to for other names B, C ,D.
or I'm wrong
Yes, I would go wit that :)