Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2013-01-25
Digital certificates are an important part of securing the communication between the on-premises Exchange organization and the Microsoft Office 365 service, other on-premises Exchange servers, and your clients. Certificates enable one entity to trust the identity of another. This helps to ensure that a client or server is communicating to the right source.
In a hybrid deployment, several services make use of certificates:
- Active Directory Federation Services
(AD FS) A certificate issued by a trusted
third-party certificate authority (CA) is used to establish a trust
between Web clients and federation server proxies, to sign security
tokens, and to decrypt security tokens.
Learn more at: Certificates
- Exchange federation A self-signed
certificate is used to create a secure connection between the
on-premises Service Pack 3 (SP3) for Exchange Server 2010 servers
configured for the hybrid deployment (that is, “hybrid servers”)
and the Microsoft Federation Gateway.
Learn more at: Understanding Federated Delegation
- Exchange services Certificates issued
by a trusted third-party CA are used to increase the security for
Secure Sockets Layer (SSL) communication between Exchange servers
and clients. Services that use certificates include Outlook Web
App, Exchange ActiveSync, Outlook Anywhere, and message
transport.
- Existing Exchange servers Your existing
Exchange servers may make use of certificates to help secure
Outlook Web App communication, message transport, and so on.
Depending on how you use certificates on your Exchange servers, you
might use self-signed certificates or certificates issued by a
trusted third-party CA.
Learn more at: Understanding Digital Certificates and SSL
Certificate Requirements for a Hybrid Deployment
When configure a hybrid deployment, you must configure certificates. You must purchase certificates from a trusted third-party CA. Multiple services, such as AD FS, Exchange 2010 federation, Exchange 2010 services, and Exchange, each require certificates. Depending on your organization, you may decide to do one of the following:
- Use a third-party certificate that's used by all services
across multiple servers.
- Use a third-party certificate for each server that provides
services.
Whether you choose to use the same certificate for all services, or dedicate a certificate for each service, depends on your organization and the service you're implementing. Here are some things to consider about each option:
- Third-party certificate across multiple
servers Third-party certificates that are used
by services across multiple servers may be slightly cheaper to
obtain, but they may complicate renewal and replacement. The
complication occurs because, when a certificate needs replacement,
you need to replace the certificate on every server where it's
installed.
- Third-party certificate for each
server Using a dedicated certificate for each
server that hosts services allows you to configure the certificate
specifically for the services on that server. If you need to
replace the certificate or renew it, you only need to replace it on
the server where the services are installed. Other servers aren't
impacted.
We recommend that you use a dedicated third-party certificate for the AD FS server, another certificate for the Exchange services on your hybrid servers, and if needed, a certificate on your Exchange server. The on-premises federated trust configured as part of federated delegation uses a self-signed certificate by default. Unless you have specific requirements, there's no need to use a third-party certificate with the federation trust configured as part of federated delegation.
The services that are installed on a single server may require that you configure multiple fully qualified domain names (FQDNs) for the server. Purchase a certificate that allows for the required number of FQDNs. Certificates consistent of the subject, or principal, name, and one or more subject alternative names (SAN). The subject name is the FQDN that the certificate is issued to. SANs are additional FQDNs that can be added to a certificate in addition to the subject name. If you need a certificate to support five FQDNs, purchase a certificate that allows for five domains to be added to the certificate: one subject name and four SANs.
| Service | Server | Suggested FQDN |
|---|---|---|
|
Active Directory Federation Services (AD FS) (if you've chosen to configure AD FS) |
ADFS |
sts.contoso.com |
|
Autodiscover |
Hybrid servers |
autodiscover.contoso.com |
|
Transport |
Hybrid servers |
Label that matches the external FQDN of your Exchange 2010 SP3 hybrid servers, such as hybrid.contoso.com. |
|
Outlook Anywhere |
Hybrid servers |
Label that matches the internal FQDN of your Exchange 2010 SP3 hybrid servers, such as Ex2010.corp.contoso.com. Label that matches the internal host name of your Exchange 2010 SP3 hybrid servers, such as Ex2010. |
|
Outlook Web App (Exchange 2010) |
Hybrid servers |
owa.contoso.com |
|
Outlook Web App (existing Exchange server) |
Existing Exchange server |
Label that matches the external FQDN of your existing Exchange server, such as mail.contoso.com. |