Exchange 2010 SAN SSL?

danhaddad · 2012-09-04T11:59:51.000Z

Can someone explain to me how a SAN SSL differs from a wildcard SSL cert?

I need to setup a trusted SSL for our exchange server (was just using a local one) but was giving us issues with users idevices etc, so i suppose i need a SAN SSL, can anyone recommend a good SSL company with good prices / ease of use (we currently use godaddy for SSL)

mrbostn · 2012-09-04T12:03:01.000Z

I use godaddy for them. a SAN expicitly defines the names.

mail.domain.com

autodiscover.domain.com

etc

a wildcard accepts all *.domain.com

Exchange likes the SAN-so does the devices.

richie · 2012-09-04T12:05:27.000Z

Additionally, the wildcard SSL’s tend to be more expensive. Also, wildcard SSL’s aren’t really considered “best practice” to use (security-wise) since it doesn’t explicitly and specifically present the name of the site/server. Just my two cents

beta · 2012-09-04T12:20:26.000Z

As has been mentioned, with a SAN you list specific names you want secured… So on your SAN you might specify mail.yourcompany.com and www.yourcompany.com . A wildcard cert will cover everything under a specific domain so *.yourcompany.com will cover mail.yourcompany.com, www.yourcompany.com , ftp.yourcompany.com, and so on. Hence they are more expensive.

I have used DigiCert for SAN certs specifically for Exchange and found their pricing to be competive and their resources/guides very helpful in getting things installed.

danhaddad · 2012-09-04T12:31:53.000Z

It seems like wildcard certs are cheaper then a SAN cert in some cases? Are there any disadvantages to using a wildcard cert? (we already have one)

richie · 2012-09-04T12:37:21.000Z

Dan355E wrote:

It seems like wildcard certs are cheaper then a SAN cert in some cases? Are there any disadvantages to using a wildcard cert? (we already have one)

Oh, another thing to consider - let’s say you get a wildcard SSL and you use it on more than 1 server and you forget to document exactly where you applied it, you will have to re-key and re-apply that cert onto every server you deployed it on, hoping you don’t miss one. Could get tough to manage if you let it get out of control. I generally don’t recommend Wildcard SSL’s in production applications.

craigkilborn1157 · 2012-09-04T13:06:07.000Z

Dan355E wrote:

It seems like wildcard certs are cheaper then a SAN cert in some cases? Are there any disadvantages to using a wildcard cert? (we already have one)

Hi Dan, yes a wildcard SSL will only do external domain names e.g. mail@domain.com

With SAN SSL you can specifify NETBIOS and FQDN’s internally and externally.

If you don’t use internal FQDN’s and NETBIOS you will probably run into connection issues and have to manually make DNS changes to get everything to work correctly.