Sembee Blog of Exchange MVP Simon Butler

Unified Messaging Requires the Server Name in the SSL Certificate

While researching an article for my main technical site amset.info on how to use a single name SSL certificate with Exchange 2007 (I hinted at that in my blog post from last week http://blog.sembee.co.uk/archive/2008/05/30/78.aspx) I discovered an annoying little quirk that I think deserves a separate blog posting as I think some people may trip over it.
I also mentioned it in the same blog post from last week.

As you may be aware, Exchange 2007 allows you to assign certificates to specific roles and services. It can also generate its own self generated certificates.

The Unified Messaging role requires an SSL certificate. While trying to assign the certificate to the UM role you might find that while the command is accepted, when you query the services enabled on that certificate that UM is not listed.

Furthermore if you remove the certificate that is currently assigned to the UM role, then when you restart the Exchange services, Exchange simply recreates it - a separate certificate from the main certificates used for the other roles (SMTP, OWA, IMAP, POP3 etc).

The reason for this is quite simple. It would appear that UM will not accept a certificate UNLESS it has the server's real name listed. However I haven't quite worked out whether it is just the server's NETBIOS name or the FQDN that is required - as the commercial SAN/UC certificate I used had both.

Therefore the recommendation I would make for a SAN/UC certificate URLs are:

mail.example.com (this is the common name, the name that your MX records point to will be used for OWA, POP3/IMAP/SMTP and ActiveSync  - plus it is the reverse DNS record on your static IP address)
autodiscover.example.com (self explanatory)
server.example.local (this is the Exchange server's real internal name)
server (this is the Exchange server's NETBIOS name).

"mail.example.com" is the primary name so that it appears on the certificate if a user clicks on it, and ensures that anything external that is connecting to the server without support for SAN/UC certificates.

SAN (Subject Alternative Name) / UC (Unfied Communications) certificates are available from US$60 (At the time of writing) from http://DomainsForExchange.net/

Comments are closed