Hi, The following document https://www.cabforum.org/Baseline_Requirements_V1.pdf, section 9.2.1, states : As of the Effective Date of these Requirements, prior to the issuance of a Certificate with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Server Name, the CA SHALL notify the Applicant that the use of such Certificates has been deprecated by the CA / Browser Forum and that the practice will be eliminated by October 2016. Also as of the Effective Date, the CA SHALL NOT issue a certificate with an Expiry Date later than 1 November 2015 with a subjectAlternativeName extension or Subject commonName field containing a Reserved IP Address or Internal Server Name. Effective 1 October 2016, CAs SHALL revoke all unexpired Certificates whose subjectAlternativeName extension or Subject commonName field contains a Reserved IP Address or Internal Server Name It sounds like SRV-EXC01 or myserver.mydomain.local names won't be allowed anymore in SSL SAN certificates issued by official CA's. Any feedback about that ? Christian G.

Hi Yes, this change is coming in over the next 3 - 4 years. It is already best practice in Exchange 2010 to use split DNS and not have any internal names on the certificate. Cheers, Steve