Screencasts / Exchange 2010 / Generate Self-Signed UCC in Exchange 2010

The self-signed certificate which is generated during Exchange 2010 setup has several major flaws:
- It uses the short NetBIOS name of Exchange Client Access server as a Common Name (CN). Fig 1Exchange 2010 default certificate uses NetBIOS name as Common Name
- It includes only Exchange NetBIOS and internal FQDN (Fully Qualified Domain name) as Subject Alternative Names (SAN). Fig 2Includes only NetBIOS and Internal FQDN as SAN
- It is not trusted by the clients.

This affects mainly the remote clients, as installing the certificate in their Trusted Root certificates store does not resolve the problem - Exchange 2010 external host name is not included as a SAN. As a result:
- Remote clients get a security warning when accessing Outlook Web App (OWA).
- Outlook Anywhere is not working.

This certificate is considered as a temporary solution and it is recommended to replace it as soon as possible. We have already demonstrated how to install GoDaddy Multiple Domain/UCC SSL certificate and how to renew an expired one in Exchange 2010. Buying a commercial multiple domain certificate doesn’t make a lot of sense when you configure a test network or if you have just a handful of remote clients.

In this Screencast, we will demonstrate how to generate and install a self-signed Multiple Domain SSL certificate in Exchange 2010. The Self-signed certificate issues discussed above will be addressed by:
- Configuring Exchange 2010 external host name as the Common Name. Fig 3Uses Exchange External host name as Common name
- Adding the required Subject Alternative Names (ex. autodiscover.yourdomain.com). Fig 4Includes the SAN that we need
- Creating a Group Policy and adding the certificate as a trusted root certificate to all domain clients.
- Publishing the Self-signed Multiple Domain Certificate with its public key on the Web server running Exchange OWA, where remote clients are able to download it and install it in their local certificate store.

Even if you have a commercial UCC, which is about to expire or is expired (as it is in our demo), you can consider installing a self-signed one as a temporary (or permanent – depending on your configuration) solution.
For your convenience, we have published the text file with the commands which we are using in the Screencast here .


         Click here to login. Not yet registered - click here to register




  • Testimonials:
  • I just finished the "Upgrade from Exchange 2007 to 2013" Part I screencast and must tell you that it is extremely well done! I found no variances between the video/script and what I experienced. At the end of Part 1 ...
                       Bob Duffett, Priority Software Inc. ...more...

                Security Verified Seal Privacy Seal Business Verified Trust Guard Certified
Copyright © 2014 NetoMeter All rights reserved | Privacy policy | Contact Us: 1.800.681.7309