You have a bigger installation than us – but I guess the principle is the same. My advice would probably be to take small, reversible steps. I would start by setting up an OpenSSL certificate structure. You don’t have to do it proper CA hierarchy like I did, you could have just a root CA and use that to sign all certificates in your company. Use a global policy in your Windows domain to get the root CA certificate out to as many clients as possible. Once you have done that you can install the mail certificate on the edge Exchange servers (or perhaps the ISAs). Then try to assign the new certificate to Exchange. If it doesn’t work, just switch back.

Firstly – nice article, and glad to know that we aren’t alone on this one.

We have a similar situation with Symbian phones. However our Exchange 2007 set-up (to which we are in the process of migrating users from our 2003 set-up) consists of two ISAs, two CASs, two HUBs and three backend servers. We have a SAN certificate installed (believe it is on the ISAs and the CASs). Our users are limited to rpc/https access only and like you we have a mixture of clients, typiclaly Outlook 2003, some Outlook 2007 and a wide variety of phones. We also suport OWA as well.

My question is:

Is there any danager in installing a new certificate using OpenSSL which might make a mess of things for users that aren’t experinceing any problems at all?

BRgds
Kris