I've seen questions on this around but they address a building-new perspective. I have an E2K7 environment with 2 CAS servers, one is actually a backup at this point as owa points to one, no round robin or load balancing. So, I’ve been looking at changing this. Round robin dns is pretty straight forward, I don’t think I have any issues setting that up. But, while testing I quickly realized that my Certificate setup needs some configuration changes. I have CAS1, CAS2. Currently everything points to CAS1. My question is this – How can I configure an SSL cert on CAS2 without messing with the configuration of CAS1? Do I need to reconfigure the Cert on CAS1? Equifax is the 3^rd party issuer, I’m not sure Equifax does the SAN cert, how do I verify this? Will the powershell get-exchangecertificate command give me SAN information? Thanks!

Get-exchangecertificate | fl will show you the current certificate. For most issuers you will need to get a new certificate because they will not allow two certificates to be issued with the same name. As you need to have autodiscover in both certificates (if you were to use two) then that isn't going to work. Alas that normally means the certificate has to be revoked or re-keyed, so downtime is going to occur. You will need to create a new certificate request on one of the servers, which includes both names, then once the installation is done, export it and import it on to the second server. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Ok, I have different setup than I thought. I have recently taken over this Exchange system and I just assumed that the cert was a standard SSL. The existing, main CAS does have a SAN cert, so in this case I should be able to just add a cert on the other CAS, right?

You may not be able to get a certificate issued for the reasons I have given above about the name restrictions. Therefore you would need a new certificate to cover both servers. You will need to speak to your certificate provider about the options available. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Simon, I appreciate your help, and patience, maybe you’ve given me the answer I need and I just don’t know it. We have an internal CA, not self-signed, but that is the extent of my current knowledge of our issuing certificates. When I run get-exchangecertificate on one of the CAs all I get is the self-signed certificate. When I run this on the main CA I get Services:IP. W. CN=owa.domain.com, OU=Domain Control Validated – Power Server ID<TM>, OU=See www.geo.... Can you tell me anything more specific based on this?

I don't use internal CAs, and never have done, so I am not sure what to suggest to you. Exchange puts a self signed certificate in during the install. As you are using an internal CA then you may well be able to just create a new certificate request, but you will need to look elsewhere or see if someone else post's on the question, as I have no idea how you go about that. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Thanks for the info! For anyone else reading, I didn't pipe get-exchangecert before, here is more info. AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule, System.Security.AccessControl.CryptoKeyAccessRule} CertificateDomains : {owa.domain.com, owa, autodiscover.domain.com} HasPrivateKey : True IsSelfSigned : False Issuer : OU=Equifax Secure Certificate Authority, O=Equifax, C=US NotAfter : 1/17/2012 11:57:53 AM NotBefore : 10/17/2008 11:57:53 AM PublicKeySize : 1024 RootCAType : ThirdParty SerialNumber : Serialnumber Services : IMAP, POP, IIS Status : Valid Subject : CN=owa.domain.com, OU=Domain Control Validated, OU=See www.geotrust.com/resources/cps (c)08, OU=G T99372815, O=owa.domain.com, C=US Thumbprint : Thumbprint

That isn't a self signed certificate but a commercial one, so my previous point applies. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Hi The_Messenger, Any updates? Frank Wang TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks, Sembee gave me the answer that I need. When I started looking at this I thought my predecessor had just left out some settings, maybe because 1 CAS has been sufficient. So, thought I could just configure it correctly to get the 2nd CAS to share the load and be available if the first one is restarted or goes down. While the info Sembee offered isn't what I was hoping for :) I was wanting take steps as though I had done the first part of the process, installing the UCC, SAN on the first server, and now "finish" by requesting / installing the cert on the 2nd server. I think this is the answer that I need. Since the right process will required a new cert, and in that there is a possibility of breaking OWA, I will need to schedule this at a future date.