Do I really really need a new SSL certificate for Office 365 ?

When migrating to Office 365 from on premise Exchange, you may be following the hybrid route where an Exchange server is placed on site to act as a broker or intermediary between the Office 365 mail organisation and the on premise org.

For the on premise Exchange servers, you may well have a wildcard SSL certificate in place which serves you very well thank you very much. When you stand up your hybrid server, its easy to think “I know, I’ll just use my wildcard cert, that’s good enough as it will cover any names I need”.

Well, no, it doesn’t actually. Microsoft do have a list of pre-reqs for deploying the hybrid role at https://docs.microsoft.com/en-us/Exchange/hybrid-deployment-prerequisites where they make it nice and clear:

pic5

The important word there is must. It’s so important that the name used for autodiscover (usually autodiscover.yourdomain.com) is present in the SAN portion of the certificate that they even repeat the advice under the certificate requirements section at https://docs.microsoft.com/en-us/Exchange/certificate-requirements.

pic6

What happens if you are feeling brave and still want to use that wildcard certificate for your Exchange hybrid server ? All sorts of weird things. For a start, you will get certificate errors mentioning the name of the underlying host…. even though that’s not mentioned in autodiscover.

pic8

On top of that, you’re free busy information might not work instead displaying “Free / Busy information is not available”

pic7

So, do yourself a favour and buy yourself a nice shiny new cert with all of the names you need on it…. it’s far cheaper in the long run than to spend ages troubleshooting why things aren’t working… as I learned the hard way.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.