What to know about the type of SSL certificate that protects multiple domains on multiple servers
Unified communication certificates, or UCCs, are one of the most misunderstood certificate types in the SSL industry. Frankly, a standard UCC SSL certificate is a regular point of confusion. So, we’ve written this brief guide to help demystify the acronym a bit for our customers.
UCC certificates are basically multi-domain/SAN certificates that have been specifically designed for Microsoft Exchange and Office Communications servers. Nowadays, more modern versions of those servers play nicely with other SSL certificates. But, originally, they were fairly finicky and required their own iteration of an SSL certificate. Hence, the creation of UCCs. A unified communication certificate (UCC) can secure up to 250 different domains, provided they’re hosted on one of those two server types. UCC can actually be used on multiple servers at once, too. They just need to be Exchange or Office Communications servers.
How to Get a Standard UCC SSL Certificate Issued
You get a standard UCC SSL certificate issued just like you would a multi-domain certificate: You list your main domain as the fully-qualified domain name (FQDN), and each additional domain goes in the Subject Alternative Name (SAN) field. This can be done for up to 250. Most UCCs come packaged with two to four SANs, with additional for purchase as needed.
Once the certificate authority (CA) performs validation, which will include a domain control check on each listed domain, it issues the certificate. This can be installed on as many servers as you need. Keep in mind: All of these domains will be using the same standard UCC SSL certificate, which also means using the same public and private key pair. This means it would be wise to rotate keys regularly or to use multiple, concurrent private keys to limit their exposure and the risk that entails.
One of the least known aspects of the UCC is that it can also function as a multi-domain wildcard, securing additional domains and associated sub-domains at a single level of the URL. This makes them especially versatile, but also explains why you can’t get an extended validation (EV) UCC if you use wildcard SANs. Let’s just say the Certificate Authority/Browser Forum (CA/B Forum) not only frown upon but outright prohibit the issuance of EV wildcard SSL certificates.