SOLVED

Certificate Requirements for a Hybrid Deployment

%3CLINGO-SUB%20id%3D%22lingo-sub-95097%22%20slang%3D%22en-US%22%3ECertificate%20Requirements%20for%20a%20Hybrid%20Deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-95097%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20article%20at%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fhh563848(v%3Dexchg.150).aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fhh563848(v%3Dexchg.150).aspx%3C%2FA%3E%20states%20..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%22When%20configuring%20a%20hybrid%20deployment%2C%20you%20must%20use%20and%20configure%20certificates%20that%20you%20have%20purchased%20from%20a%20trusted%20third-party%20CA.%20The%20certificate%20used%20for%20hybrid%20secure%20mail%20transport%20must%20be%20installed%20on%20all%20on-premises%20Mailbox%20(Exchange%202016%20and%20newer)%2C%20and%20%3CSTRONG%3EMailbox%20and%20Client%20Access%20(Exchange%202013%20and%20older)%20servers%3C%2FSTRONG%3E%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EDoes%20this%20imply%20that%20in%20a%202007%2F2013%20deployment%20the%20certificate%20must%20be%20installed%20on%20the%202013%20CAS%20server%20AND%20all%202007%20Mailbox%20%26amp%3B%20Client%20Access%20Servers%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EOutput%20from%20the%20EDA%20only%20documents%20installation%20on%20the%20internet%20facing%202013%20CAS%20server.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-95097%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2013%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-95152%22%20slang%3D%22en-US%22%3ERe%3A%20Certificate%20Requirements%20for%20a%20Hybrid%20Deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-95152%22%20slang%3D%22en-US%22%3EThanks%20for%20clarification%20Adam%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-95118%22%20slang%3D%22en-US%22%3ERe%3A%20Certificate%20Requirements%20for%20a%20Hybrid%20Deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-95118%22%20slang%3D%22en-US%22%3EHey%20Ian%2C%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20the%20purpose%20of%20the%20wizard%2C%20only%20the%20endpoint%2Fconnection%20point%20that%20you%20are%20making%20with%20O365%20is%20required%2Fneeded.%3CBR%20%2F%3E%3CBR%20%2F%3EBut%20you%20should%20have%20the%20same%20cert%20going%20on%20all%20your%20servers%20in%20an%20ideal%20world.%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-95107%22%20slang%3D%22en-US%22%3ERe%3A%20Certificate%20Requirements%20for%20a%20Hybrid%20Deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-95107%22%20slang%3D%22en-US%22%3EThe%20question%20was%20really%20around%20the%20servers%20on%20which%20this%20certificate%20should%20be%20installed.%20It's%20clear%20it%20is%20generated%20and%20installed%20on%20the%202013%20server%20as%20it's%20the%20endpoint%20for%20all%20incoming%20connections%20but%20the%20EDA%20makes%20no%20mention%20of%20installing%20the%20certificate%20on%20the%202007%20servers.%20-%20although%20it%20makes%20complete%20sense%20to%20do%20so%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-95106%22%20slang%3D%22en-US%22%3ERe%3A%20Certificate%20Requirements%20for%20a%20Hybrid%20Deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-95106%22%20slang%3D%22en-US%22%3E%3CP%3ECompletely%20agree%2C%20just%20re-use%20the%20same%20cert.%20That%20is%20what%20we%20do%20with%20every%20single%20one%20of%20our%20customers%20deployments%2C%20and%20it%20works%20like%20a%20charm!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-95100%22%20slang%3D%22en-US%22%3ERe%3A%20Certificate%20Requirements%20for%20a%20Hybrid%20Deployment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-95100%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Ian%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20alway%20a%20best%20practice%20to%20have%20the%20same%20certificate%20across%20all%20Exchange%20Environment.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20can%20have%20multiple%20certificates%2C%20but%20is%20best%20to%20acomplish%20omogeneous%20environment%20with%20the%20same%20certificates%20to%20evict%20problems.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Contributor

The article at https://technet.microsoft.com/en-us/library/hh563848(v=exchg.150).aspx states ..

 

"When configuring a hybrid deployment, you must use and configure certificates that you have purchased from a trusted third-party CA. The certificate used for hybrid secure mail transport must be installed on all on-premises Mailbox (Exchange 2016 and newer), and Mailbox and Client Access (Exchange 2013 and older) servers"

 

Does this imply that in a 2007/2013 deployment the certificate must be installed on the 2013 CAS server AND all 2007 Mailbox & Client Access Servers ?

 

Output from the EDA only documents installation on the internet facing 2013 CAS server.

 

5 Replies
Highlighted

Hi Ian,

 

It alway a best practice to have the same certificate across all Exchange Environment.

 

You can have multiple certificates, but is best to acomplish omogeneous environment with the same certificates to evict problems.

Highlighted

Completely agree, just re-use the same cert. That is what we do with every single one of our customers deployments, and it works like a charm!

Highlighted
The question was really around the servers on which this certificate should be installed. It's clear it is generated and installed on the 2013 server as it's the endpoint for all incoming connections but the EDA makes no mention of installing the certificate on the 2007 servers. - although it makes complete sense to do so
Highlighted
Best Response confirmed by Ian Moran (Regular Contributor)
Solution
Hey Ian,

For the purpose of the wizard, only the endpoint/connection point that you are making with O365 is required/needed.

But you should have the same cert going on all your servers in an ideal world.

Adam
Highlighted
Thanks for clarification Adam