When migrating to Office 365 from on premise Exchange, you may be following the hybrid route where an Exchange server is placed on site to act as a broker or intermediary between the Office 365 mail organisation and the on premise org.

For the on premise Exchange servers, you may well have a wildcard SSL certificate in place which serves you very well thank you very much. When you stand up your hybrid server, its easy to think “I know, I’ll just use my wildcard cert, that’s good enough as it will cover any names I need”.

Well, no, it doesn’t actually. Microsoft do have a list of pre-reqs for deploying the hybrid role at https://docs.microsoft.com/en-us/Exchange/hybrid-deployment-prerequisites where they make it nice and clear:

The important word there is must. It’s so important that the name used for autodiscover (usually autodiscover.yourdomain.com) is present in the SAN portion of the certificate that they even repeat the advice under the certificate requirements section at https://docs.microsoft.com/en-us/Exchange/certificate-requirements.

What happens if you are feeling brave and still want to use that wildcard certificate for your Exchange hybrid server ? All sorts of weird things. For a start, you will get certificate errors mentioning the name of the underlying host…. even though that’s not mentioned in autodiscover.

On top of that, you’re free busy information might not work instead displaying “Free / Busy information is not available”

So, do yourself a favour and buy yourself a nice shiny new cert with all of the names you need on it…. it’s far cheaper in the long run than to spend ages troubleshooting why things aren’t working… as I learned the hard way.