Sunday, December 26, 2010

Intro to Exchange 2007 & SSL Certificates

[Written in December 2008. Not sure why I didn't post it back then. Found in my drafts.]

Ehlo All,

SSL Certificates (aka SSL certs, certs) are complicated. Exchange is complicated. Quick story... during my research, I read about a Microsoft employee (Exchange admin) who thought a bug existed with a SSL cert vendor's special "Exchange 2007" cert. So he contacted an Exchange Team PM about the issue and it turned out he didn't properly configure the Exchange SSL cert generation. Moral of the story, add SSL certs & Exchange 2007 together, and it can be a real challenge. So, I recommend you read this intro if you're considering or even using Exchange 2007 & real SSL certs especially since many things have changed.

First, the good news with Exchange 2007. Microsoft now includes self-signed certs on install. So, you're secure out of the box. Meaning, everything is encrypted, but you'll get errors each time you access a SSL protected site with it. So, you'll want to fix this.

Well, everything you know about Exchange 2003 SSL certificates can be thrown out, or that's what I've learned so far. You can use wildcard SSL certs, but you'll run into issues in the future (Outlook auto-discovery has issues, Windows Mobile 5 has issues, etc), so I would recommend you embrace the new SSL cert that Microsoft wants you to use OR learn about a special DNS configuration that lets you avoid this (thanks to a MS June 07 update for Outlook 2007).

As per the new certs, they are best described by DigiCert (I liked their explanation & enhanced it some) is:

Exchange 2007 Certificates Definition
The new SSL certificates are called Unified Communications Certificates (aka UC Certificates, UCC Certificates, or SAN certificates) which give you full control of the Subject Alternative Name field so you can secure as few or as many host names as you like with just one SSL certificate. These are NOT wildcard certs since they secure specific hostnames you define within this one cert. Wildcard certs secure any subdomain (e.g. *, while UCC certs secure (,,, exchsrv.mydomain.local, etc).

Microsoft's Recommended List of UCC Cert Providers as of 12/08
Comodo -
DigiCert -
Entrust -
Microsoft's Recommended List of UCC Cert Providers

Special DNS Configuration to Avoid UCC Certs
So, you decided you didn't want to spend about $250-300 on a UCC cert for one year. I can understand. There is another option I hinted to above that relates to a June 2007 Outlook 2007 update that added a special feature to avoid the need for a UCC cert for autodiscovery or complex admin configuration. It involves setting a special DNS record to get around this. The DNS record is a SRV record. Once you have this SRV record set, the Exchange 2007 server's externl adn internal URLs need to be this one server as identified in the SRV DNS record.

Learn more about this in Microsoft White Paper on Auto-Discovery in Exchange & Outlook 2007.

MS Article on how to setup DNS SRV record for auto-discovery functionality
MS KB article about auto-discovery issues and fixes


No comments: