Hi, We are transitioning our CAS 2007 to 2010. Inregards to the legacy.domain.com cert that we need to install on exchange 2007, can we use an internal PKI issued cert for that or do we need to get another one from verisign? Does a activesync device actually use that cert for someone who is transitioning 2010 and for someone who is still on 2007?

You will have to get another one. New Server will use new server be OWA, ActiveSync etc. Cheers,Gulab | MCITP: Exchange 2010-2007 | Skype: Gulab.Mallah | Blog: www.ExchangeRanger.Blogspot.com

My question was, can we use a PKI issued one?

Can you yes, but not recommended. Reason being since it's private only domain joined computers have capability of trusting the cert so users using home computers or other outside terminals will have cert warnngs and possibly other issues. Plus you will run into alot of headaches trying to support other services, troubleshooting headaches such as not being able to use testexchangeconnectivity.com, plus if you do forest migrations you also need additional steps when working with private certs as another example. It just shows you to invest in the 3rd party cert.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Thanks

Hi, Agree with James. If you use an internal Windows PKI issued CA and the client machine is non-client member, you need to install CA root certificate in the client machine. So I suggest you get another one from verisign and it will be trusted automatically by non-domain clients. For more information, you can refer to the article ‘Understanding Digital Certificates and SSL’. Hope this helps. ThanksPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

This is mostly for windows mobile and iphone devices who are already working on exchange 2007 before we start the transition and which we are migratiuong to 2010. That tells me the root cert should already be installed. Am I right?

If you were using internal pki for 2007 then yes root cert would be there.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Actually we are using commercial cert (not pki) for exchange 2007. Our mangement is asking if we can use a PKI cert for the legacy.domain.com space name and move the commecial one activesync.domain.com to exchange 2010 during the transition without having to buy another commercial cert just for legacy.domain.com.

I am just finishing up with something like this. All I did was add the alternate name of legacy.domain.com to my existing SAN cert. I use DigiCert and they re-issued me my certificate, I applied it to my 2007 box and to my 2010 boxes, made changes in DNS for those record changes and additions needed, updated the various web services external URLs for Exchange 2007 (OWA, OAB, etc...) with the legacy.domain.com and life so far is good. I did originally have a issue with my first certificate they sent me about the intermediate certificate not recognized or something like that, but I ran their repair util and rebooted and that fixed that. I used the www.testexchangeconnectivity.com website to test ActiveSync for users in either mailbox server (2010 users and 2007 users I have yet to migrate over).

What Tanskter did is what most people do. Yes you can swap the legacy cert but you basically run into the same same scenario as your original question.James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

Ok. We will go with another commercial cert since we don't have a san cert to begin with.