Certificates in Migrating from Exchange 2003 / Exchange 2007 to Exchange 2010

Having the Right Certs in the Migration to Exchange 2010

A common question that is asked relative to a migration from Exchange 2003 or Exchange 2007 to Exchange 2010 is what SSL Certificates need to be acquired for a smooth migration.  If you follow Microsoft's guide for migrating to Exchange 2010, you would have a new certificate and your old OWA certificate addresses in a single Subject Alternative Name (SAN) certificate.  But the problem is you typically can't get a new certificate with fully qualified domain name of your old Exchange 2003 / 2007 OWA server until you revoke the old certificate.  But if you revoke the old certificate, then your users are offline for remote email during the migration.

Thanks to a write-up from one of the consultants here at Convergent Computing (Jeff Guillet), he put together the following that hopefully clarifies the whole certificate thing during the migration process...


The secret to success is that you need to order a new UCC (SAN) or wildcard cert for the old Exchange 2003 or 2007 OWA servers. 

You can order any ONE of the following certs (assuming that webmail.conteso.com is the public FQDN for the new OWA 2010 server):

  • SAN Cert #1: Subject Name: legacy.conteso.com; Subject Alternative Name (SAN): webmail.conteso.com
  • SAN Cert #2: Subject Name: webmail.conteso.com; Subject Alternative Name (SAN): legacy.conteso.com
  • Wildcard Cert #1: Subject Name: legacy.conteso.com; Subject Alternative Name (SAN): *.conteso.com
  • Wildcard Cert #2: Subject Name: webmail.conteso.com; Subject Alternative Name (SAN): *.conteso.com

Order whichever cert makes most economical sense that your cert provider will allow you to buy.  Wildcard certs are usually more expensive than SAN certs, but are usually easier to configure and allow more flexibility.  But since this is probably going to be used for a short term co-existance scenario, go with what's cheapest.  Some CA providers do not offer SAN or UCC certs, so that may limit your choices.  Some of the common lower cost public CA providers like DigiCert or GoDaddy provide SAN/UCC certs as do the mainstream providers like Verisign and Thawt.

If your CA  profider won't let you order a new cert using the same Subject Name as what you're already using, you'll probably have to go with SAN Cert #1 or Wildcard Cert #1.

You can replace the existing cert on the 2003/2007 OWA servers with the new certificate, with only a momentary outage as the certificate is replaced.  After that, the existing 2003/2007 users will still be able to access OWA because the OWA server will use the new cert for SSL as both webmail.conteso.com and legacy.conteso.com.  Test it from the private network, using both FQDNs.

Once you get the certs in place on the legacy configuration, then you can proceed with what Microsoft provides as instructions for certificates in a migration to Exchange 2010 up on  http://technet.microsoft.com/en-us/library/ee332348.aspx.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.