New Exchange 2010 installation. HUB and CAS on two seperate servers, need two certificates?
Title says it all. I have already completed the Exchange server installation with 2010 R1 on 2008 R2 sp1 servers in HyperV I have two physical servers in one rack. HVHost1 one holds EXCHHUB and EXCHMB1 HVHOST2 holds EXCHCAS and EXCHMB2 do I have to generate and request two seperate SAN certificates one for the CAS and one for the HUB? or will one certificate do the trick? If I can use one certificate, do i need to do anything special to apply it to both servers or just let the wizard do its thing? Thanks,
May 5th, 2011 6:49pm

It depends what type of Cert you are using. But on two separate you need two Certs as they are CAS and HT. Gulab | MCTS-MCITP Messaging: 2010 | MCTS-MCITP Messaging: 2007 | MCC 2011 | Skype: Gulab.Mallah
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 7:00pm

1. If it's a self signed cert then you need one each. 2. If you want to secure servers such as OWA/OA/Active-synch, then you are better off getting a SAN or Wildcard Cert to cover your namespace which will include both of your server. 3. Use a wild card if you want one, and let the wizard do it's thing and dont forget to assing the Cert to the services SMTP, IIS. Sukh
May 5th, 2011 7:10pm

Thanks and sorry if I didn't clarify, the cert i have ordered is an UCC SAN certificate from godaddy with up to 5 names. I have generate the certificate with the internal and external FQDN's but when I ran the wizard from the EMC, I did it with the CAS Server selected. If the Hub Transport server is using the SMTP service, I can use the same certificate that will be installed on the CAS for it? or do I have to generate another certificate request from the Hub Transport server and purchase a new certificate for it?
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 7:37pm

If u have UCC SAN than it should be fineGulab | MCTS-MCITP Messaging: 2010 | MCTS-MCITP Messaging: 2007 | MCC 2011 | Skype: Gulab.Mallah
May 5th, 2011 7:40pm

1. Yes that will be fine. That the beauty of SAN certs Sukh
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 8:07pm

what will be fine? do I need to install the certificate on both servers? or just leave the one certificate on the CAS server and the hub transport server will magically figure out how to use it from the CAS server?
May 5th, 2011 8:57pm

YeahGulab | MCTS-MCITP Messaging: 2010 | MCTS-MCITP Messaging: 2007 | MCC 2011 | Skype: Gulab.Mallah
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 9:02pm

You need to install on both.
May 5th, 2011 9:02pm

ok thank you! so how do I install on the Hub? I have it installed succesfully on the CAS server. but I generated the key from there and just did the "complete pending request" I won't have that option on the hub transport server since it was not generated from there.
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 9:14pm

Are you going to be doing TLS connections from the HUB? If the certificate is only for EWS (Anywhere, Autodiscover, OWA, etc) then it's only required on the CAS (HVHOST2).
May 5th, 2011 9:24pm

I don't guess so. so just using the self signed certificate with the SMTP services on the HUB will be sufficient?
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 9:32pm

It sure will. You really only need a certificate on the HUB's if you're doing TLS or encrypted SMTP sessions between HUB's and an Edge server for instance; it's not needed unless you are doing one of the above and a self-signed is usually sufficient. If your requirement is just Client Access based (Anywhere, Autodiscover, OWA, etc), there is no need to install a certificate on the HUB's.
May 5th, 2011 10:09pm

yes, this will be be for internal communication, but no harm doing it for TLS. May as well secure your communication if opportunistic is avaible, but not required to do so.
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 10:11pm

When you install the HUB role, self-signed certificates are automatically installed and SMTP traffic between AD sites is encrypted. Unless TLS is a requirement, which doesn't appear to be the case, no additional certificate is required on the HUB's.
May 5th, 2011 10:35pm

Requirement here is not needed. So can do the above However, just a consideration, why not, if you've paid for it, use it. Not going to cost anymore. Something to offer your external clienti, only a few commandlets. Would be nice to use TLS Choice is all yours. Sukh.
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 10:43pm

Per Microsoft: "In earlier versions of Exchange, you had to configure TLS manually. In addition, you had to install a valid certificate, suitable for TLS usage, on the server running Exchange. In Exchange 2010, Setup creates a self-signed certificate. By default, TLS is enabled. This enables any sending system to encrypt the inbound SMTP session to Exchange. By default, Exchange 2010 also attempts TLS for all remote connections." You're good!
May 5th, 2011 11:16pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics