I have a single in-house Exchange 2013 server and, after getting tired of dealing with the constant popups regarding the self-issued certificate, to say nothing of various phones that simply will not accept it without complications, I am doing this correctly and going through the process of purchasing a Comodo SSL certificate. My question is regarding how to ensure that the various SANs are covered. I need the following:
- mail.mydomain.com This points to the public IP of my firewall/router so users can connect to https://mail.mydomain.com to get their Exchange e-mail on their phones or https://mail.mydomain.com/owa (for Outlook Web Access in a browser)
- gateway.mydomain.com This points to the same public IP above; it is just an alternate name that some users have for connecting to e-mail.
- autodiscover.mydomain.com This is required by Exchange, both internally and externally.
So my core question is this: what is the process of getting all three of those covered by one SSL cert? I want to place the order correctly so I do not have to redo it.
In addition, I think I need one for MyExchangeServer (FQDN: MyExchangeServer.mydomain.local, not .com, due to historical setup of our ActiveDirectory domain as .local instead of .com), the local name of my Exchange server so that Outlook in the office can connect to the Exchange server locally, without having to go through the WAN. I think I read somewhere that .local would no longer be supported or allowed for public SSL certificates since 2015, but I am not sure if that was from a specific SSL cert provider or is industry-wide. If it is true that this is no longer supported, then I believe I will have to switch to split DNS to ensure that internal references to mail.mydomain.com point directly to MyExchangeServer.