Now that we understand the load balancing and namespace planning principles and how clients connect in an Exchange 2013 environment that has Exchange 2007 and/or Exchange 2010 deployed, the proper certificates can be constructed and deployed as part of the upgrade process.
Of course it goes without saying that there are a few rules you should follow in crafting your certificates:
- Use as few certificates as possible.
- Use as few host names as possible.
- Utilize the Subject Alternative Name (SAN) attribute on the certificate.
- Use the Exchange Certificate Wizard within the Exchange Admin Center to request certificates.
- Deploy the same certificate across all CAS in the datacenter pair.
- Deploy Vista SP1 or later clients so that you do not have to worry about the certificate principal name value.
Wildcard certificates are an option as well. A wildcard certificate for *.contoso.com results in a certificate that will work for mail.contoso.com, legacy.contoso.com, and autodiscover.contoso.com namespaces.
To understand what host names should be included in the certificate request, three scenarios will be considered that leverage the architecture principles discussed in the prior articles.
Read the complete blog at http://blogs.technet.com/b/exchange/archive/2014/03/19/certificate-planning-in-exchange-2013.aspx
Read my favorites blogs: