Currently we're in the co-exist environment with exchange 2010/2013 while DNS still pointing to Exchange 2010. I have applied Public CA certificate to exchange 2013 while using internal CA for office web apps and Lync 2013. I have tested internally by changing the host file to connect to exchange 2013 and everything is working for internal users. but I have no idea the behavior when we switch over to exchange 2013 especially on external users:

Exchange/owa          --> public certificate

Office web apps/Lync --> internal CA certificate

1. Since I'm using internal CA for office web apps/Lync2013, is there any problem when external users browsing the OWA 2013 ? will integration will be working with this kind of scenario ?

2. Can i used different public cert for exchange and owa/lync ? for example my exchange using godaddy while  office web apps/lync will use digicert ? Is it working ?

Hi 

You can use different public certificate for owa/lync and different one for office web apps sever and that would be the best approach

Certificates used by Office Web Apps Server need to meet the following requirements:

The certificate must come from a trusted Certificate Authority and include the fully qualified domain name (FQDN) of your Office Web Apps Server farm in the SAN (Subject Alternative Name) field. (If the FQDN is not in the SAN when you try to use the certificate, the browser will either show security warnings or wont process the response.)

The certificate must have an exportable private key. On single-server farms, this option is selected by default when you use the Internet Information Services (IIS) Manager snap-in to import the certificate.

The Friendly name field must be unique within the Trusted Root Certificate Authorities store. If you have multiple certificates that share a Friendly Name field, farm creation will fail because the New-OfficeWebAppsFarm cmdlet wont know which of those certificates to use.

The FQDN in the SAN field cant begin with an asterisk (*).
Office Web Apps Server doesnt require any special certificate properties or extensions. For example, Client Enhanced Key Usage (EKU) extensions or Server EKU extensions are not required.

On Windows Server 2012 or Windows Server 2012 R2, you must install the "Allow HTTP Activation" Windows Communication Foundation (WCF) feature.

Hi,

I would anwser your question one by one:

1. Since I'm using internal CA for office web apps/Lync2013, is there any problem when external users browsing the OWA 2013 ? will integration will be working with this kind of scenario ?

A: No, there is no issue to user different certificates (Public certificate and Internal CA certificate) for OWA and Lync. Just make sure the integrations among Exchange server, Office Web App server and Lync server have been configured correctly. And the certificate is trusted and valid.

2. Can i used different public cert for exchange and owa/lync ? for example my exchange using godaddy while  office web apps/lync will use digicert ? Is it working ?

A: Yes, we can use different public cert for Exchange and Lync. Just make sure the certificate must come from a trusted Certificate Authority and include the fully qualified domain name (FQDN) of the server.

Re

Hi Winnie,

on your answer (A), When Exchange OWA 2013 public user(using public CA) wanted to preview the word attachment in their email which Office Web Apps (owap) certificate configured using 'AD internal CA' with https protocol, it won't pose any issue or warning right ? meaning enough for me to buy public certificate for exchange while owaps can use internal certificate. kindly confirm. thx.

Hi 

You can use the Internal CA (AD) which will not bring up any warning with the following conditions met 

If using an internal CA download the certificate in base-64 format
If using an internal CA use the advanced option to request the certificate and select web server as certificate template
Make sure your certificate is created with the private key marked as exportable

If you are going to use in a large scale environment a Public CA may be a good option