The New Exchange Certificate wizard in Microsoft Exchange 2010 has a section named the Certificate Configuration. This guide will make it easier for you to choose the correct settings.
The Sharing section allows you to trust other domains so that you can share components between them. An example of this would be if you needed to share a common address book between domains.
Use this certificate for Federated Delegation - Select this check box if your configuration needs to trust other domains.
The Client Access server (Outlook Web App) section allows you to specify the FQDN of the Outlook Web App on your Intranet (internal) and on the Internet (external).
Outlook Web App is on the Intranet - Select this check box if you need to access the Outlook Web App on your intranet.
Domain name you use to access Outlook Web App internally - If you checked the Outlook Web App is on the Intranet field, then enter in the FQDN into this field. In most cases, this field will be the FQDN of the server. If you are using a load balancer, then the address of your load balancer will need to be entered in.
Outlook Web App is on the Internet - Select this check box if you need to access the Outlook Web App on the internet.
Domain name you use to access Outlook Web App (example: mail.contoso.com) - If you checked the Outlook Web App is on the Internet field, then enter in the public URL into this field.
Note: Some companies use split-horizon (split-view or split-brain) DNS configuration for internal and external FQDNs.
The Client Access server (Exchange ActiveSync) section allows you to specify the URL that will be used for ActiveSync to mobile devices.
Exchange Active Sync is enabled - Select this check box if you want to enable Active Sync.
Domain name you use to access Exchange ActiveSync (example:mail.contoso.com) - If you checked the Exchange Active Sync is enabled check box, then enter in the URL that your device will use to connect to ActiveSync.
Note: Older devices may not recognize SAN (Subject Alternative Name) fields that will be generated in this certificate. To prevent this from happening, you should enter in the Common Name of the certificate into the field in this section.
The Client Access server (Web Services, Outlook Anywhere, and Autodiscover) section includes features of Autodiscover.
Exchange Web Services is enabled - Because of the nature of Microsoft Exchange 2010, you will almost want to always select this.
Outlook Anywhere is enabled - Select this check box if you wish to enable Outlook Anywhere. This used to be known as RPC over HTTPS.
External host name for your organization (example: mail.contoso.com) - You should enter in the location of your Outlook Anywhere in this field.
Autodiscover used on the Intranet - Select this check box if you want to use Autodiscover lookup on the domain.
Autodiscover used on the Internet - Select this if you want to be able to use Outlook when outside of the office.
In most cases when you are using Autodiscover, you will want to select Long URL.
Autodiscover URL to use - You will need and autodiscover entry for each accepted domain on your exchange server.
Example: If you have mydomain.com, mydomain.co.uk and mydomain.net as accepted domains on your exchange server, then you will need to enter in:
autodiscover.mydomain.com,autodiscover.mydomain.co.uk,autodiscover.mydomain.net
Note: Each domain needs to be separated by a comma without any spaces.
The Client Access server (POP/IMAP) section configures POP and IMAP.
POP/IMAP is used on the Intranet - These generally don't use certificates and can be left unchecked in normal circumstances.
POP/IMAP is used on the Internet - These generally don't use certificates and can be left unchecked in normal circumstances.
Note: If either of the POP/IMAP check boxes are selected, you will need to make extra configuration on the client application.
Domain name to use for POP (example: pop.contoso.com) - If either of the POP/IMAP check boxes are selected, you will need to enter in the POP URL address in this field. Example: pop.mydomain.com
Domain name to use for IMAP (example: imap.contoso.com) - If either of the POP/IMAP check boxes are selected, you will need to enter in the IMAP URL address into this field. Example: imap.mydomain.com
The Unified Messaging server section should be configured if you use the Unified Messaging rule.
Self-signed certificate - This should be checked if you are planning on using a self-signed certificate.
Note: you will need to manually distribute this certificate to each server.
Public certificate - This should be checked if you are planning on implementing Unified Messaging with a commercial certificate.
Note: If your Unified Messaging is done using Microsoft Office Communications Server, you must use a public certificate.
Fully qualified domain name (FQDN) of your UM servers - This is the FQDN of your Unified Messaging server.
Use mutual TLS to help secure Internet mail - Select this check box if you want to create a encrypted connection between two email servers.
FQDN of your connector (in the format server name/forest root/extension) - This is the FQDN of the connector.
Use Hub Transport server for POP/IMAP client submission - Select this check box if you want to secure POP/IMAP.
Note: If you did not configure Client Access server (POP/IMAP) then you should ignore this check box.
FQDN of the connector you use for POP or IMAP (in the format server name/forest root/extension) - This is the FQDN of the connector that you use for POP or IMAP.
The Legacy Exchange Server section is generally configured if you are running your Microsoft Exchange 2010 environment alongside a Microsoft Exchange 2003 server.
Use legacy domains - Select this check box if this Exchange server shares mail with an Exchange 2003 server. This is not to be confused with doing a full migration off of a Microsoft Exchange 2003 server.
Note: You will need to create a public DNS entry for legacy.mydomain.com.
Domain name to use for legacy servers - Enter in the public DNS entry that you created in the previous note.
