Exchange 2007 UC Certificate SANs

What Subject Alternate Names (SANs) Should I Include in an Exchange 2007 Certificate?

Basically you need to include any name that is used to access the Exchange 2007 server.

The simplest scenario is if the internal and external names are the same because you don't need to duplicate names. If you use different names for internal and external access (e.g., owa.domain.com and owa.domain.local) you have to include both the internal and external names in your certificate.

Though we can't tell you exactly what to put in your certificate, below are some things to keep in mind:

  • The most important thing to remember is that if you do make a mistake, fixing the problem is simple. All you have to do is reissue the certificate. You can do this at any point and can modify your names at no extra cost. Note that adding more names than the base four that come with the certificate only costs what you paid to add them.
  • Include both the external and internal fully-qualified domain names of your Exchange CAS server(s). For example, owa.domain.com and owa.internaldomain.com).
  • If you are using autodiscover, make sure you include an entry for autodiscovery (the autodiscover service uses autodiscover.domain.com by default).

  • If you use the same URL for OWA, Activesync, Outlook Anywhere, or any other service on the Exchange 2007 server and and only have one CAS server, you do not need to take any extra steps. However, if this is not the case, review the following lines.

    If you are using different URLs, make sure to include entries for those as well.

    If you are using more than one CAS server, make sure to include the internal fully-qualified domain name of every CAS server that is involved.

    If you are using any CAS servers, make sure to include the internal fully-qualified domain name of every CAS server involved.

Once you know what names you need to use in your certificate, we recommend using our Exchange 2007 CSR Wizard to create your CSR.

Preview of Easy CSR Command Generator for Exchange 2007

Note that after 2015 certificates for internal names will no longer be trusted.

Related articles: