UCC/SAN Cert with SBS2008 - names required

Good evening!

I am in the process of preparing for a SBS2003 to SBS2008 migration. I have
done several of these so that process is very familiar to me.

My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
SBS2008 (my ex-colleague did the other three).

What names are required for this?

Let's assume the machine is called MYCORP-DC01 and that the internal DNS
Domain Name is mymoney.local and that the external DNS Domain Name is
mymoney.com. For "normal" EXCH2007 I would do the following:

mail.mymoney.com
autodiscover.mymoney.com
mycorp-dc01
mcorp-dc01.mymoney.local

I might even throw in mymoney.com (not required, but I might do it).

I know that SBS2008 is a different animal and that you need to do the
WIZARDS for everything. Well versed in that. Very much aware that
remote.mymoney.com is going to be the CN of the cert. What other names need
to be on the SSL Cert?

Thanks,

Cary

Unless you have a need for a UCC cert, I don't recommend it. It only makes
things more complicated. As you mentioned, sticking to the wizards is a
*good* thing, and the wizards handle non-UCC certs just fine.

http://blogs.technet.com/sbs/archive...-sbs-2008.aspx

Yes, this just links you over to Sean Daniel's blog, and I could've posted
that directly, but I like the idea of getting people in the habit if
searching the Official SBS Blog first, and this is an Official SBS Blog
post.

-Cliff


"Cary Shultz" <> wrote in message
news:uF5$...
> Good evening!
>
> I am in the process of preparing for a SBS2003 to SBS2008 migration. I
> have done several of these so that process is very familiar to me.
>
> My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
> many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
> SBS2008 (my ex-colleague did the other three).
>
> What names are required for this?
>
> Let's assume the machine is called MYCORP-DC01 and that the internal DNS
> Domain Name is mymoney.local and that the external DNS Domain Name is
> mymoney.com. For "normal" EXCH2007 I would do the following:
>
> mail.mymoney.com
> autodiscover.mymoney.com
> mycorp-dc01
> mcorp-dc01.mymoney.local
>
> I might even throw in mymoney.com (not required, but I might do it).
>
> I know that SBS2008 is a different animal and that you need to do the
> WIZARDS for everything. Well versed in that. Very much aware that
> remote.mymoney.com is going to be the CN of the cert. What other names
> need to be on the SSL Cert?
>
> Thanks,
>
> Cary
>

Cliff,

Much appreciated. However, they have 25 sales people throughout Virginia
and West Virginia and Washington DC and the Cert thing would be a *HUGE*
issue for them (2/3 of the sales force is rather 'computer - illiterate').

If we did decide to go with the UCC/SAN Cert what would you suggest? And, I
will look at the Offical SBS Blog....Thanks for that!

Cary


"Cliff Galiher - MVP" <> wrote in message
news:eKTV0%...
> Unless you have a need for a UCC cert, I don't recommend it. It only
> makes things more complicated. As you mentioned, sticking to the wizards
> is a *good* thing, and the wizards handle non-UCC certs just fine.
>
> http://blogs.technet.com/sbs/archive...-sbs-2008.aspx
>
> Yes, this just links you over to Sean Daniel's blog, and I could've posted
> that directly, but I like the idea of getting people in the habit if
> searching the Official SBS Blog first, and this is an Official SBS Blog
> post.
>
> -Cliff
>
>
> "Cary Shultz" <> wrote in message
> news:uF5$...
>> Good evening!
>>
>> I am in the process of preparing for a SBS2003 to SBS2008 migration. I
>> have done several of these so that process is very familiar to me.
>>
>> My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
>> many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
>> SBS2008 (my ex-colleague did the other three).
>>
>> What names are required for this?
>>
>> Let's assume the machine is called MYCORP-DC01 and that the internal DNS
>> Domain Name is mymoney.local and that the external DNS Domain Name is
>> mymoney.com. For "normal" EXCH2007 I would do the following:
>>
>> mail.mymoney.com
>> autodiscover.mymoney.com
>> mycorp-dc01
>> mcorp-dc01.mymoney.local
>>
>> I might even throw in mymoney.com (not required, but I might do it).
>>
>> I know that SBS2008 is a different animal and that you need to do the
>> WIZARDS for everything. Well versed in that. Very much aware that
>> remote.mymoney.com is going to be the CN of the cert. What other names
>> need to be on the SSL Cert?
>>
>> Thanks,
>>
>> Cary
>>

Let me rephrase:

Is there a reason you want to use a *UCC* certificate vs a regular 3rd-party
"standard" SSL cert?

A 3rd-party cert will still prevent certificate errors in the browser, does
NOT require manually deploying any package (self-signed cert, etc) on client
machines, and is as secure as a UCC/SAN cert. You should only be
considering a UCC/SAN certificate if you have a valid need for multiple
names attached to the certificate. For most SBS deployments this is *not*
the case.

-Cliff


"Cary Shultz" <> wrote in message
news:OVVdwQ#...
> Cliff,
>
> Much appreciated. However, they have 25 sales people throughout Virginia
> and West Virginia and Washington DC and the Cert thing would be a *HUGE*
> issue for them (2/3 of the sales force is rather 'computer - illiterate').
>
> If we did decide to go with the UCC/SAN Cert what would you suggest? And,
> I will look at the Offical SBS Blog....Thanks for that!
>
> Cary
>
>
> "Cliff Galiher - MVP" <> wrote in message
> news:eKTV0%...
>> Unless you have a need for a UCC cert, I don't recommend it. It only
>> makes things more complicated. As you mentioned, sticking to the wizards
>> is a *good* thing, and the wizards handle non-UCC certs just fine.
>>
>> http://blogs.technet.com/sbs/archive...-sbs-2008.aspx
>>
>> Yes, this just links you over to Sean Daniel's blog, and I could've
>> posted that directly, but I like the idea of getting people in the habit
>> if searching the Official SBS Blog first, and this is an Official SBS
>> Blog post.
>>
>> -Cliff
>>
>>
>> "Cary Shultz" <> wrote in
>> message news:uF5$...
>>> Good evening!
>>>
>>> I am in the process of preparing for a SBS2003 to SBS2008 migration. I
>>> have done several of these so that process is very familiar to me.
>>>
>>> My question is regarding the UCC/SAN Cert for EXCH2007. I have prepared
>>> many UCC/SAN Certs for "normal" Exchange 2007 but have done only one for
>>> SBS2008 (my ex-colleague did the other three).
>>>
>>> What names are required for this?
>>>
>>> Let's assume the machine is called MYCORP-DC01 and that the internal DNS
>>> Domain Name is mymoney.local and that the external DNS Domain Name is
>>> mymoney.com. For "normal" EXCH2007 I would do the following:
>>>
>>> mail.mymoney.com
>>> autodiscover.mymoney.com
>>> mycorp-dc01
>>> mcorp-dc01.mymoney.local
>>>
>>> I might even throw in mymoney.com (not required, but I might do it).
>>>
>>> I know that SBS2008 is a different animal and that you need to do the
>>> WIZARDS for everything. Well versed in that. Very much aware that
>>> remote.mymoney.com is going to be the CN of the cert. What other names
>>> need to be on the SSL Cert?
>>>
>>> Thanks,
>>>
>>> Cary
>>>
>
>

Cliff,

Understood. In the upcoming case - no, there is little to zero need for a
UCC/SAN Cert. As always, thanks for steering me in the right direction.

Cary

"Cliff Galiher - MVP" <> wrote in message
news:u30PCX%...
> Let me rephrase:
>
> Is there a reason you want to use a *UCC* certificate vs a regular
> 3rd-party "standard" SSL cert?
>
> A 3rd-party cert will still prevent certificate errors in the browser,
> does NOT require manually deploying any package (self-signed cert, etc) on
> client machines, and is as secure as a UCC/SAN cert. You should only be
> considering a UCC/SAN certificate if you have a valid need for multiple
> names attached to the certificate. For most SBS deployments this is *not*
> the case.
>
> -Cliff
>
>
> "Cary Shultz" <> wrote in message
> news:OVVdwQ#...
>> Cliff,
>>
>> Much appreciated. However, they have 25 sales people throughout Virginia
>> and West Virginia and Washington DC and the Cert thing would be a *HUGE*
>> issue for them (2/3 of the sales force is rather 'computer -
>> illiterate').
>>
>> If we did decide to go with the UCC/SAN Cert what would you suggest?
>> And, I will look at the Offical SBS Blog....Thanks for that!
>>
>> Cary
>>
>>
>> "Cliff Galiher - MVP" <> wrote in message
>> news:eKTV0%...
>>> Unless you have a need for a UCC cert, I don't recommend it. It only
>>> makes things more complicated. As you mentioned, sticking to the
>>> wizards is a *good* thing, and the wizards handle non-UCC certs just
>>> fine.
>>>
>>> http://blogs.technet.com/sbs/archive...-sbs-2008.aspx
>>>
>>> Yes, this just links you over to Sean Daniel's blog, and I could've
>>> posted that directly, but I like the idea of getting people in the habit
>>> if searching the Official SBS Blog first, and this is an Official SBS
>>> Blog post.
>>>
>>> -Cliff
>>>
>>>
>>> "Cary Shultz" <> wrote in
>>> message news:uF5$...
>>>> Good evening!
>>>>
>>>> I am in the process of preparing for a SBS2003 to SBS2008 migration. I
>>>> have done several of these so that process is very familiar to me.
>>>>
>>>> My question is regarding the UCC/SAN Cert for EXCH2007. I have
>>>> prepared many UCC/SAN Certs for "normal" Exchange 2007 but have done
>>>> only one for SBS2008 (my ex-colleague did the other three).
>>>>
>>>> What names are required for this?
>>>>
>>>> Let's assume the machine is called MYCORP-DC01 and that the internal
>>>> DNS Domain Name is mymoney.local and that the external DNS Domain Name
>>>> is mymoney.com. For "normal" EXCH2007 I would do the following:
>>>>
>>>> mail.mymoney.com
>>>> autodiscover.mymoney.com
>>>> mycorp-dc01
>>>> mcorp-dc01.mymoney.local
>>>>
>>>> I might even throw in mymoney.com (not required, but I might do it).
>>>>
>>>> I know that SBS2008 is a different animal and that you need to do the
>>>> WIZARDS for everything. Well versed in that. Very much aware that
>>>> remote.mymoney.com is going to be the CN of the cert. What other names
>>>> need to be on the SSL Cert?
>>>>
>>>> Thanks,
>>>>
>>>> Cary
>>>>
>>
>>

On Tue, 4 May 2010 22:33:41 -0400, "Cary Shultz"
<> wrote:

>Cliff,
>
>Understood. In the upcoming case - no, there is little to zero need for a
>UCC/SAN Cert. As always, thanks for steering me in the right direction.
>
>Cary
>

Hi Cary,

I hope all is well!

FWIW, the only reason I can see multi names required is for remote
sales folks using Outlook ANywhere on a non-joined machine, or for
Windows Mobile handhelds. Droids and iPhones allow you to trust a
non-public CA cert, but Windows Mobile is not so forgiving as well as
Outlook.

If this is the case, you may need the additional names. If so, you can
run the wiz to add the single named cert, then use Exchange's shell to
add the other info to IIS, etc, the cert has.

Take a look at my blog on UCC/SAN certs. It was meant for non-SBS, but
you may find it helpful.

Exchange 2007 UC/SAN Certificate & Things to consider Choosing An
Internal AD DNS Domain Name If Using Exchange 2007
http://msmvps.com/blogs/acefekay/arc...rtificate.aspx

Ace

This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.

Just as an FYI, outlook anywhere and activesync work just fine with a
single-name certificate as long as you set up the appropriate SRV record in
DNS for autodiscovery to work. You really don't need to spend the money on
UCC unless you actually are trying to secure multiple resources, which in a
normal SBS install is not the case.

-Cliff


"Ace Fekay [MVP - Directory Services, MCT]" <>
wrote in message news:...
> On Tue, 4 May 2010 22:33:41 -0400, "Cary Shultz"
> <> wrote:
>
>>Cliff,
>>
>>Understood. In the upcoming case - no, there is little to zero need for a
>>UCC/SAN Cert. As always, thanks for steering me in the right direction.
>>
>>Cary
>>
>
> Hi Cary,
>
> I hope all is well!
>
> FWIW, the only reason I can see multi names required is for remote
> sales folks using Outlook ANywhere on a non-joined machine, or for
> Windows Mobile handhelds. Droids and iPhones allow you to trust a
> non-public CA cert, but Windows Mobile is not so forgiving as well as
> Outlook.
>
> If this is the case, you may need the additional names. If so, you can
> run the wiz to add the single named cert, then use Exchange's shell to
> add the other info to IIS, etc, the cert has.
>
> Take a look at my blog on UCC/SAN certs. It was meant for non-SBS, but
> you may find it helpful.
>
> Exchange 2007 UC/SAN Certificate & Things to consider Choosing An
> Internal AD DNS Domain Name If Using Exchange 2007
> http://msmvps.com/blogs/acefekay/arc...rtificate.aspx
>
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.

On Wed, 5 May 2010 10:55:37 -0600, "Cliff Galiher - MVP"
<> wrote:

>Just as an FYI, outlook anywhere and activesync work just fine with a
>single-name certificate as long as you set up the appropriate SRV record in
>DNS for autodiscovery to work. You really don't need to spend the money on
>UCC unless you actually are trying to secure multiple resources, which in a
>normal SBS install is not the case.
>
>-Cliff
>

Very true, which was why I mentioned it wasn't geared for SBS. :-)


Ace