Choosing SAN Names for your Exchange SSL Certificate

Exchange 2010 SAN Name Help

Subject Alternate Names for your Exchange 2010 SSL Certificate

Choosing your SAN names for Exchange 2010 has been simplified from Exchange 2007 by the new graphic interface "New Exchange Certificate" wizard.

Exchange GUI SAN NAMES

If you prefer to use the Exchange Power Shell, you still have that option.

When choosing your Subject Alternate Names, the same basic rule applies to both the GUI & the Power Shell. Any name through which your server will be accessed should be listed in the certificate either as the common name or a subject alternate name.

In fact, the common name is automatically added to your certificate as a SAN.

If you access your Exchange 2010 server through the network and over the internet via the same url, make sure that you include that exact name in the certificate.

For example, if you use owa.domain.com externally and owa.domain.local internally, both owa.domain.com and owa.domain.local should be listed in the certificate. If you use owa.domain.com for both internal and external access, you do not need to include it twice.

The easiest thing to do when working with SSL Certificates in Exchange 2010's new GUI is to check the boxes provided under "Exchange Configuration" for the applicable exchange roles. Your server will then suggest SAN names to use with Exchange 2010. You will need to confirm that the information that was pre-provided is accurate for your particular server configuration.

While we can't tell you exactly what SAN names to include in your SSL certificate, the follow points hold true for SAN Names in Exchange 2010:

  1. Include the fully-qualified domain name and netbios name of your Exchange server(s) (e.g, owa.domain.com and owa.local).
  2. When using the autodiscover service, include an entry for autodiscover. Autodiscover with Exchange automatically uses autodiscover.yourdomain.com

  3. If using a distinct URL for OWA, Activesync, Outlook Anywhere, or any other service you might be using on the Exchange 2010 server, or have any CAS servers involved for which you must create a secure connection, include those names as well.

    If you are using any CAS servers, make sure to include the netbios and internal fully-qualified domain name of every CAS server involved.

    If you do not use different URLs for any other secure services, you should have all the Subject Alternate Names you need.

If you want to use the powershell, feel free to use our Exchange 2010 CSR Wizard for help creating your CSR.

Preview of Easy CSR Command Generator for Exchange 2007

Related:

Purchase an SSL Certificate Now!

Guarantee

DigiCert SSL Certificate Authentication - Home

All trademarks displayed on this web site are the exclusive property of the respective holders.