Wildcard SSL Certificates with Exchange 2010?

Solution 1:

Certs and exchange 2010 are a headache from what I've seen so far.

We have 2010 in the lab right now and think we will be able to get away with a wildcard SSL cert for device access from the internet, and then an Enterprise CA signed machine cert (Issued by ADCS), for each 2010 server for internal access.

We are using TMG 2010 as an edge transport server, so the SSL cert will sit on there, then the connection between TMG and Ex2010 CAS will be inside the domain, so secured by the Enterprise CA.

Only got this working this morning, but I think that will work. If your CAS is handling connections from the internet then ymmv. I'll be watching this question though!

Solution 2:

Wildcards and UC certificate were meant to accomplish 2 different things. If you have multiple domains and you are using Exchange server, then UC certificates are the way to go. If you only have differing subdomains, then wildcards will work, but this is the exception. Most of our clients at ssl.com have a number of domain names including internal server names so uc (or SANS) certificates are the most commonly chosen ones. Also note that you can embed wildcards in ucc if you need the flexibility of both.

As for value of each type, each customer must derive that for themselves. Where one customer may think it's a ripoff, another may find that it saves countless hours in ssl management time. You decide.

Solution 3:

The only real issue we've had so far is with certain Outlook clients. We basically had to add a setting to specify the cert and it worked:

http://technet.microsoft.com/en-us/library/cc535023(EXCHG.80).aspx

It seems that autodiscover would set the cert name to blah.domain.com and Outlook complains since it doesn't match *.domain.com. If you set the above in the Outlook client manually, it goes through. Note - we have not completed our migration yet from Exch 2003 so we might run into more issues. This is the only one so far though.