Microsoft Exchange and Remote Desktop Services Specialists


Microsoft Exchange Server and
Blackberry Enterprise Server news, views and fixes.

Exchange 2007 with a Single Name SSL Certificate

I hinted in my Exchange 2007 SAN certificate posting ( that I had written an article on how to setup Exchange 2007 with a single name certificate. After cleaning it up I have now published the article. However it isn't here, as it contains screenshots which the blog seems to struggle with - you will find it on my company technical site:

Do note that if you are using Unified Messaging that you cannot use a single name certificate. Also note the hard requirements of SRV record support at your public DNS provider (ie your domain name registrar) and Outlook 2007 SP1.

Unified Messaging Requires the Server Name in the SSL Certificate

While researching an article for my main technical site on how to use a single name SSL certificate with Exchange 2007 (I hinted at that in my blog post from last week I discovered an annoying little quirk that I think deserves a separate blog posting as I think some people may trip over it.
I also mentioned it in the same blog post from last week.

As you may be aware, Exchange 2007 allows you to assign certificates to specific roles and services. It can also generate its own self generated certificates.

The Unified Messaging role requires an SSL certificate. While trying to assign the certificate to the UM role you might find that while the command is accepted, when you query the services enabled on that certificate that UM is not listed.

Furthermore if you remove the certificate that is currently assigned to the UM role, then when you restart the Exchange services, Exchange simply recreates it - a separate certificate from the main certificates used for the other roles (SMTP, OWA, IMAP, POP3 etc).

The reason for this is quite simple. It would appear that UM will not accept a certificate UNLESS it has the server's real name listed. However I haven't quite worked out whether it is just the server's NETBIOS name or the FQDN that is required - as the commercial SAN/UC certificate I used had both.

Therefore the recommendation I would make for a SAN/UC certificate URLs are: (this is the common name, the name that your MX records point to will be used for OWA, POP3/IMAP/SMTP and ActiveSync  - plus it is the reverse DNS record on your static IP address) (self explanatory)
server.example.local (this is the Exchange server's real internal name)
server (this is the Exchange server's NETBIOS name).

"" is the primary name so that it appears on the certificate if a user clicks on it, and ensures that anything external that is connecting to the server without support for SAN/UC certificates.

SAN (Subject Alternative Name) / UC (Unfied Communications) certificates are available from US$60 (At the time of writing) from