Hi all, I've just looked at the 2010 create certificate option in EMC. My word, it's a minefield! I am applying for a SSL with up to 24 SAN's but I am now worried that I might not get the right domains/DNS name in the right places in each section. I've only used a single SSL before. I presume I just use common sense for all of the options and that I need to enable them all, especially the legacy one's. Do I need to put the DNS external and local names in as the examples suggest? TIA M

Exchange 2010 SP1 has a nice wizard now, but I still prefer to use the Shell. 24 SANs?! That's a lot! Are you sure you need that many? I can't speak to the examples you are talking about. In general, here's the way I prefer to do certificates. I very much prefer to deploy TMG or ISA in the DMZ for external publishing purposes. On the TMG/ISA server, I get a certificate that has just the required minimum SANs, webmail, autodiscover, and legacy if coexistence with Exchange 2003 is required. On the Exchange CAS, I'll create a certificate from the internal CA (building one if the customer doesn't have one) that has the following SANs. webmail.domain.com webmail CAS1.domain.com CAS1 CAS2.domain.com CAS2 <and so on> autodiscover.domain.com I'll add any other names that might be required, for example, if there's a temporary URL like exchange.domain.com or outlook.domain.com for use during coexistence. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

The wizard is simply asking you questions about the host names involved. Whether you get the host names in the right order/places doesn't really matter. If you wish you can just go to the last screen on the wizard and then enter each one there. The wizard always puts in example.com (ie the root of the domain) which I think is unnecessary, so can be removed. What I would suggest is that you simply go through the wizard, put in some information and see how it completes. It does no harm, as SSL is a two stage process. Then you can remove the pending request and do it again. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

we use a godaddy san cert with 10 SAN's. your exchange server doesnt really care what SANs are used, as long as when users access it, it matches the URL. All i did was use my primary cert name for the CSR, and then used whatever cert provider to add the SAN's once the cert was created (dont forget your .local name or you will run into issues with encryption on the local network) and installed it. It worked like a gem and i can now go back into my cert providers management panel and add SAN's as i create new DNS entries without having to create a new CSR with the new names.dave