What Exchange server certificates are how they’re used

Microsoft Exchange and Microsoft Communications Servers are notorious for being difficult to install SSL certificates on. Or rather, they were difficult before some more recent updates caused them to start playing nicer. Still, this initial problem led to the creation of a very specific, purpose-made kind of SSL certificate called a unified communication certificate, or what’s known as a UCC. (Some people also call them Exchange SSL certificates, though most defer to using the acronym “UCC.”)

How Exchange SSL Certificates Differ from Traditional SSL Certificates

As we mentioned, a UCC is just a variant of an SSL certificate that’s designed specifically for Exchange servers.

Because of the way Exchange servers have traditionally run, a UCC can function as a multi-domain or wildcard certificate depending on how you need it configured. While UCCs can’t secure the 250 domains a standard multi-domain offers, it can still secure dozens of websites residing on the same Exchange server.

Purchasing a UCC is just as simple as purchasing any other SSL certificate: Simply pick the one you’d like and pay for it, then generate your certificate signing request (CSR) and private key on your Exchange server and send it along to the certificate authority (CA) you’ve chosen. Validation typically takes just a day or two, at most, then you’ll be able to install it and secure your websites.

Just as with other SSL certificates, installing a UCC on an Exchange server is a very straightforward process — one that can be performed in under 10 minutes simply by following one of our installation guides.

Granted, nowadays, you can also secure Exchange server with other, non-UCC SSL certificates, too. But for the sake of purity we still recommend deploying UCCs on Exchange and Microsoft Communications servers because they’re designed for that exact purpose.

What to know about the type of SSL certificate that protects multiple domains on multiple servers

Unified communication certificates, or UCCs, are one of the most misunderstood certificate types in the SSL industry. Frankly, a standard UCC SSL certificate is a regular point of confusion. So, we’ve written this brief guide to help demystify the acronym a bit for our customers.

UCC certificates are basically multi-domain/SAN certificates that have been specifically designed for Microsoft Exchange and Office Communications servers. Nowadays, more modern versions of those servers play nicely with other SSL certificates. But, originally, they were fairly finicky and required their own iteration of an SSL certificate. Hence, the creation of UCCs. A unified communication certificate (UCC) can secure up to 250 different domains, provided they’re hosted on one of those two server types. UCC can actually be used on multiple servers at once, too. They just need to be Exchange or Office Communications servers.

How to Get a Standard UCC SSL Certificate Issued

You get a standard UCC SSL certificate issued just like you would a multi-domain certificate: You list your main domain as the fully-qualified domain name (FQDN), and each additional domain goes in the Subject Alternative Name (SAN) field. This can be done for up to 250. Most UCCs come packaged with two to four SANs, with additional for purchase as needed.

Once the certificate authority (CA) performs validation, which will include a domain control check on each listed domain, it issues the certificate. This can be installed on as many servers as you need. Keep in mind: All of these domains will be using the same standard UCC SSL certificate, which also means using the same public and private key pair. This means it would be wise to rotate keys regularly or to use multiple, concurrent private keys to limit their exposure and the risk that entails.

One of the least known aspects of the UCC is that it can also function as a multi-domain wildcard, securing additional domains and associated sub-domains at a single level of the URL. This makes them especially versatile, but also explains why you can’t get an extended validation (EV) UCC if you use wildcard SANs. Let’s just say the Certificate Authority/Browser Forum (CA/B Forum) not only frown upon but outright prohibit the issuance of EV wildcard SSL certificates.