Knowledge Base

Exchange 2007 | Multi-Domain Certificate SANs

What Subject Alternate Names (SANs) Should I Include in an Exchange 2007 Certificate?

Be sure to include any names used to access the Exchange 2007 server, but only list external fully qualified domain names (e.g., owa.domain.com).

Note: You can no longer include internal names/reserved IP addresses in your certificates. All publicly trusted SSL Certificates issued to internal names and reserved IP addresses will expire before November 1, 2015. See SSL Certificates for Internal Server Names.

Tips

While we can't specify exactly what to include in your certificate, here are some important points to consider:

• The most important thing to remember is that if you do make a mistake, fixing the problem is simple. All you have to do is reissue the certificate.

  You can do this at any point and can modify your names at no extra cost. Note that adding more names than the base four that come with the certificate only costs what you paid to add them.

• Include only the external fully qualified domain names of your Exchange CAS server(s) (e.g., owa.domain.com).

• If you are using autodiscover, make sure you include an entry for autodiscovery. Note that the autodiscover service uses autodiscover.domain.com by default.

• If you use the same URL for OWA, ActiveSync, or any other service on the Exchange 2007 server and only have one CAS server, you do not need to take any extra steps.

  However, if this is not the case, review the following lines:

  • If you are using different URLs, make sure to include entries for those as well.

  • If you are using more than one CAS server, make sure to include the internal fully qualified domain name of every CAS server that is involved.

Once you know what names you need to use in your certificate, we recommend using our Exchange 2007 CSR Wizard to create your CSR.

Related articles

• Exchange 2007 CSR Wizard
• Exchange 2007 SSL Certificates