Home > Exchange 2010, Exchange 2010 AKA E14, Exchange and UC > Exchange Server What are the names required for my certificate.

Exchange Server What are the names required for my certificate.


What are the names required for my certificate.

This is one of the most common questions regarding Exchange 2007/2010 certificates on the forums, no matter how we explained it, more and more questions comes and pops, so here is the ultimate guide for that.

Names required for Exchange 2007:

Scenario 1:

Single Server Deployment (exchange 2007): (HUB/CAS/Mailbox) on a single server, autodiscover is enabled.

Servername: Exchangesrv

Internal Domain Name: domain.local

External Domain Name: domain.com

Web access will be used using: webmail.domain.com , internally this will be done using webmail.domain.local .

MX records points to mx1.domain.com , SMTP Hello message (displayed in the SMTP session and set by the send/receive connectors FQDN: mail.domain.com).

Using single certificate for all of that we need:

Webmail.domain.com This will be for OWA, Outlook anywhere; this will be the certificate’s common name.
Mail.domain.com this will be used for the SMTPs Authetnication, if the name is not included the Exchange will give you silly warnining message that it cannot find a certificate that has that name, if you didn’t set the FQDN on the send connector correctly some orgs might block you or list you as spam.Side note: using SMTPs is not mandatory since you have only single server, on the internet only SMTP is used.
Mail.domain.local This will be used for OWA internally, also for SCP andautodiscover internal URL. Failing to configure the

SCP internally might render OOF and Free/busy

lookup as un-usable check my article here

Keep in Mind that the internal SCP points to the Exchange server name by default you you will need to either include this name in the certificate or change the SCP URL as per the above table, if you still want to use the minimum names you can and want to use mail.domain.com or webmail.domain.com this is usable but the you must setup the DNS server correctly to forward request to the internal CAS IP from internal network.

Scenario 2:

Single Server Deployment (exchange 2010): (HUB/CAS/Mailbox) on a single server, autodiscover is enabled.

Same as scenario 1 no changes

Scenario 3:

Multi-site Deployment (exchange 2007/2010): 1 server in each site (HUB/CAS/Mailbox) on a single server, autodiscover is enabled. (site 2 has webmail enabled and users accessing it directly).

Site1 Server name: Exchangesrv1

Site2 Server : Exchangesrv2

Internal Domain Name: domain.local

External Domain Name: domain.com

Web access will be used using: webmail1.domain.com from site 1 , Web access will be used using: webmail2.domain.com from site 2,  internally this will be done using webmail1 and webmail2.

MX records points to mx1.domain.com at site1 and MX records points to mx2.domain.com at site2 , SMTP Hello message (displayed in the SMTP session and set by the send/receive connectors FQDN: mail1.domain.com and mail2.domain.com).

Using single certificate for all of that we need (you can use 2 certificates for each site of course it is totally up to you and how long you want to discuss the security threat if using single ceritificate J):

Webmail1.domain.com This will be for OWA, Outlook anywhere in site 1; this will be the certificate’s common name.
Webmail2.domain.com This will be for OWA, Outlook anywhere in site 2.
Mail1.domain.local This will be used for OWA internally, also for SCP andautodiscover internal URL. Failing to configure the

SCP internally might render OOF and Free/busy

lookup as un-usable check my article here

Mail2.domain.local This will be used for OWA internally, also for SCP andautodiscover internal URL. Failing to configure the

SCP internally might render OOF and Free/busy

lookup as un-usable check my article here

Mail1.domain.comMail2.domain.com Internal HUB servers will communicate with Each otherusing SMTPs thus the FQDN must be included in the

cert also this must be set on the receive connector FQDN.

  • Keep in Mind that the internal SCP points to the Exchange server name by default you you will need to either include this name in the certificate or change the SCP URL as per the above table, if you still want to use the minimum names you can and want to use mail.domain.com or webmail.domain.com this is usable but the you must setup the DNS server correctly to forward request to the internal CAS IP from internal network.
  • Here you will need to configure site scope for autodiscover.

Scenario 4:

Single site Deployment (exchange 2007-2003/2010) transition:  we have 2 servers (for simplicity) and transitioning from 2007 or 2003.

This will be same names as included in the above scenario, treat them as 2 servers, then for 2003 you will need to include the legacy.domain.com and this will point to the Exchange 2003 servers to allow SSO for OWA.

Scenario 5:

Single site Deployment (exchange 2007-2003/2010) transition with Exchange 2010 CAS Arrayt:  we have 2 servers (for simplicity) and transitioning from 2007 or 2003.

This will be same names as included in the above scenario, plus the CAS Array FQDN.

What is missing:

I didn’t place the internal Server FQDN in the certificate simply because I am changing them (on OWA and on send/receive connector) and adding them is not required if you are using NLB, so I prefer not to attach internal Server names since this is very limiting (this is from my humble point of view).

Hope that this post helps you.

  1. March 31, 2011 at 10:52 pm

    Hi, nice article !

    I’m interested in about your scenario 3. I have almost the same case, except that i have NLB CAS/HUB on both sites. Both sites have an internet facing.
    I know that i can have an autodiscover record for both internal sites (playing with the affinity), but my question is about the autodiscover record on Internet.
    I would like full redundancy between my 2 sites, Can i register 2 autodiscover records on Internet DNS ?
    If yes, What will be the content of the SCP URL ?
    One autodiscover record with SCP Url from One Site and another autodiscover record with the other SCP Url ?
    Well, If you know how to do with 2 sites Internet Facing (to make redundancy), could you please answer to this forum too ?
    http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/de9f47cb-5975-4353-a8a8-7f92049b7d92#de9f47cb-5975-4353-a8a8-7f92049b7d92

    Thanks you a lot 😉

  2. April 1, 2011 at 10:02 am

    can be done but keep in mind you are mixing, SCP has nothing to do with the internet autodiscover the internet autodiscover will redirect the user to the correct CAS location based on hist site membership, and will pass URLs configured for that site.

  3. April 28, 2012 at 9:42 am

    Nice post, I really searching for such a kind of post which has stuffed with informations’ regarding your title, keep on track I will be back soon.

  4. ioganthesaint
    October 19, 2012 at 9:45 pm

    Good, but I wonder about autodiscover portion – in my case (and seems this is in line with what MS says) I had to add autodiscover..com to the names otherwise OOF would not work, some multiple logon prompts would appear and no automatic profile configuration would work.

    • October 20, 2012 at 8:53 am

      you always need the autodiscover record, and yes OOF and free busy will not work without it, also you need the internal/external URL for the webservice and OAB

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: