Hi all, I am currently testing Exchange 2010 and I have two questions regarding SSL Certs. For this example lets say the domain my company uses is domain.com. We currently have a wildcard SSL cert for *.domain.com. For my test-bed Exchange 2010 setup, I made a subdomain called test.domain.com, our CAS server is called owa.test.domain.com 1. When importing our wildcard cert into the CAS server and assigning it to POP, IMAP, and IIS, it failed on both POP and IMAP because it said "The subject is not a FQDN." Can you not use wildcard certs for POP and IMAP? 2. Even though it worked for IIS, you still get the un-trusted site warning when you try to connect to it over the web. Viewing the Technical Details says: owa.test.domain.com uses an invalid security certificate. The certificate is only valid for the following names: *.domain.com, domain.com (Error code: ssl_error_bad_cert_domain) Is this because I used the subdomain 'test' for the domain domain.com? Would it have worked if I would have used owa.domain.com?

As far as SSL certificates are concerned, host.sub.example.com is not covered by a wildcard certificate for *.example.com. If you wanted to use a wildcard certificate then you would need one for *.sub.example.com, or even *.*.example.com, if anyone issues those (I don't think so). Therefore you problem is that you are too many sub domains for the certificate. Not an Exchange issue at all, but how SSL certificates are treated. Simon.Simon Butler, Exchange MVP Blog | Exchange Resources | In the UK? Hire Me.

Hi, There are many factors to consider when you configure certificates for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) services. You must understand how these factors may affect your overall configuration. Before you continue, read Understanding TLS Certificates. Don't use the Enable-ExchangeCertificate cmdlet to enable a wildcard certificate for POP and IMAP services. To enable a wildcard certificate, you must use the Set-ImapSettings or Set-PopSettings cmdlets with the fully qualified domain name (FQDN) of the service. For the detailed information, please refer to the following link: Title: Enable-ExchangeCertificate URL: http://technet.microsoft.com/en-us/library/aa997231.aspx Yes, from your description, I understand that the wildcard certificate is issued to *.domain.com. Towards the owa.test.domain.com, the wildcard certificate will come up with the message that only vaild for the following names: *.domain.com. I suggest that you need to remove the sub domain ‘test’ for the domain domain.com. And it will work if you used owa.domain.com. Thx, James Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

So could you issue a cert with *.example.com (that would cover any-sub-domain.example.com) along with a Subject Alternative Name (SAN) for dns=*.web.example.com? this way, you would cover all first-level sub-domains of example.com, and also all sub domains of web.example.com. Would this work as I described?