I have some questions regarding the correct setup for SSL for Exchange Server 2007. The Setup program in Exchange Server 2007 creates a default self-signed certificate when Exchange Server 2007 is installed. My email domain is mba.company.com (EMAIL GONE) and the OWA website is mail.branch.company.com. Right now, I have a wildcard SSL in IIS for *.company.com that I am using for OWA and people can log into OWA without a problem. 1. Will it be a problem for me to also have a SSL for mba.company.com? 2. Am I correct in thinking that the SSL for mba.company.com would replace the self-signed SSL that was created when Exchange was installed?Any insight you can give would be very much appreciated!Thanks!

Well, one cert per IIS Site. So, if you have a cert applied to an Exchange site you can't apply another cert for it. You could set up mutliple owa sites for your environment if you need to have different url access etc, more info: http://msexchangeteam.com/archive/2008/01/07/447828.aspx With the wild card cert it will provide access for all domains.The trick is with Active sync and OLA, Wild Card Certs won't play nice with those. You'd probably be better off going with a SAN cert. and Technically you want to replace the self signed Cert. Best bet is public if private cert. Most configuration I do will involved an ISA server in the DMZ with a public cert and then a internal Cert for the connection between ISA and the CAS server. But yes, replace the self signed sll cert created by exchange, it's only good for one year. ;)some good info on certs:More on Exchange 2007 and certificates - with real world scenario http://msexchangeteam.com/archive/2007/07/02/445698.aspxExchange 2007 Autodiscover and certificates http://msexchangeteam.com/archive/2007/04/30/438249.aspxSF - MCITP:EMA, MCTS: MOSS 2007, OCS 2007, Exchange 2007 -- http://www.scottfeltmann.com

Windows Mobile 6.0 and later support wildcard certs. Outlook Anywhere does support wildcard as long as you run the Set-OutlookProvider to set the MSSTD:*.domain.com. More information about Outlook Anywhere here . As for the self-signed certificate only being good for 1 year, SP2 changed that to 5 years.MVP | MCSE:M | MCITP: Enterprise Messaging Administrator | MCTS: OCS + Voice Specialization | http://www.shudnow.net

Thank's Elan, that's good to know!SF - MCITP:EMA, MCTS: MOSS 2007, OCS 2007, Exchange 2007 -- http://www.scottfeltmann.com

Thank you for your replies. Now I have a couple of followup questions:I can keep the wildcard certificate for *branch.company.com for the OWA website in IIS. 1. However,should I create another website in IIS for all of the other Exchange functionality, like autodiscover/POP/IMAP?What type of SSL cert would this site need,a renewal of the self signed SSLor a SSL for my email domain, @mba.company.com?But does the self-signed SSLdo the same thing that the SSL cert for my email domain, @mba.company.com?I am confused as to what kind of SSLs I need. I am getting the following type error messages on my Exchange server.event message #1 - "Microsoft Exchange couldn't find a certificate that contains the domain name mba.company.com in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector outgoing email with a FQDN parameter of mba.company.com. If the connector's FQDN is not specified, the computer's FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.event message #2 - The STARTTLS certificate will expire soon: subject: servername.ad.company.com, hours remaining: 990B7D2F990179D3ADF999D44562C3481BA2BBC0. Run the New-ExchangeCertificate cmdlet to create a new certificate.2. I have not installed Exchange 2007 SP2 yet. According to Elan, SP2 changes it the validity of the SSL from 1 year to 5 years. So if I upgrade to SP2, will that take care of this issue of renewing the self-signed SSL?