One of the first tasks that you need to perform on a new Exchange 2013 CAS or multirole server is to install and assign a new certificate to the available services. The out of the box self-signed certificate is provided simply as a temporary solution and has the following limitations:
- It is not trusted by domain and remote clients
- The Common Name (CN) of the certificate is the short/NetBIOS name of Exchange server
- Only Exchange internal Fully Qualified Domain name (FQDN) is included as a Subject Alternative name (SAN)
- The autodiscover and Exchange Public names are not included in the SAN field
As a result, we get the following problems:
- Internal Outlook clients and internal/remote OWA users get a security warning.
- Outlook Anywhere (OA) is not working. Even if you manually configure OA profile and add the certificate to the local Trusted Root Certificate authorities, Exchange public FQDN is not included in the certificate and Outlook Anywhere fails.
The recommended approach is to install a UCC from a trusted certificate Authority. There are cases when you might choose to use a different approach – replace the out of the box self-signed certificate with a new self-signed certificate that uses Exchange Public name as a Common Name (CN) and includes the Autodiscover FQDN. Typical examples are:
- Implementing a test environment with Exchange 2013.
- Limited number of remote users.
- You simply need more time, until you choose a suitable Certificate provider and buy a commercial UCC.
As you can see in our Screencast, generating and installing a new self-signed Multiple Domain Exchange certificate that fits your needs is extremely easy and straight forward. Moreover, creating a Group Policy to distribute the certificate to Domain Clients, and publishing the certificate, so remote clients can install and use it with OWA and Outlook Anywhere, takes literally a couple of minutes.