Wildcards not supported, what about one cert with SANs for everything? RRS feed

  • Question

  • It's known that wildcard certs arent' supported with OCS, but if a company wanted to save money, could they request a certificate for sip.contoso.com that included all the public names of all the edge servers and pools buried in it?  Just one giant cert for all of OCS?  Obvious security reasons aside, would this work functionally?  Has anyone set one up like this?

    For example:
    SAN: ocsstandardpool.contoso.com
    SAN: ocsedgeinternal.contoso.com
    SAN: ocsedgeexternal.contoso.com
    SAN: ocsedgeweb.contoso.com
    SAN: ocsedgeavauth.contoso.com
    SAN: ocsCWA.contoso.com

    And apply it to anything that wants a certificate?
    Wednesday, July 15, 2009 2:38 PM

All replies

  • You can use a single cert for the 3 external Edge roles, but there are some caveats to the way that the Web Conferencing role selects and displays the name correctly in the configuration.  It's not a recommended deployment, but many people have gotten it to work.  But using the same cert on multiple servers for all the other roles probably hasn't been attempted and I would think would be a major headache.  The internal servers typically utilize free, Internal certs so there is no need to over-complicate that.  Also, UC SAN certs are typically many times the cost of a standard certificate so in the long run it might be cheaper to have 2-3 certs for the 2-3 OCS servers.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Thursday, July 16, 2009 11:42 AM