UCC Multi-Domain Certificate

One certificate for Exchange, Office 365 and multi-domains.

UCC (Unified Communications Certificate), also called SAN certificates, allow securing multiple domains and subdomains with a single certificate.

They are particularly suited for Microsoft Exchange, Lync/Skype, and multi-domain environments.

This guide covers use cases, selection and configuration of UCC certificates.

What is a UCC Certificate

UCC certificate characteristics:

  • Multi-domain: one certificate for multiple distinct domains.
  • SAN (Subject Alternative Names): list of additional covered domains.
  • UC compatible: designed for Exchange, Lync, Skype for Business.
  • Scalable: add domains without replacing the certificate.

UCC Benefits

Why choose a UCC certificate:

  • Simplicity: one certificate to manage for all your domains.
  • Savings: cheaper than individual certificates.
  • Exchange ready: covers Autodiscover, OWA, EWS, etc.
  • Flexibility: mix domains and subdomains.

Exchange Configuration

UCC deployment on Exchange:

  1. List names: identify all needed names (mail, autodiscover, etc.).
  2. Order certificate: include all SANs in the order.
  3. Install on Exchange: import the PFX and assign to services.
  4. Verify: test Outlook, OWA and Autodiscover.

Typical Exchange Names

SAN list for an Exchange deployment:

# Typical names for Exchange/O365
mail.example.com          # OWA, ActiveSync
autodiscover.example.com  # Autodiscover mandatory
outlook.example.com       # Optional but common
ews.example.com          # Exchange Web Services
mapi.example.com         # MAPI over HTTP

# For multi-tenant
mail.domain1.com
autodiscover.domain1.com
mail.domain2.com
autodiscover.domain2.com

# PowerShell - Import on Exchange
Import-ExchangeCertificate -FileData ([Byte[]]$(Get-Content -Path "c:\cert.pfx" -Encoding byte -ReadCount 0)) -Password:(ConvertTo-SecureString -String "password" -AsPlainText -Force)

# Assign to services
Enable-ExchangeCertificate -Thumbprint "THUMBPRINT" -Services "IIS,SMTP,IMAP,POP"

Autodiscover is crucial for Outlook to work properly.

UCC Best Practices

Tips for UCC certificates:

  • Plan SANs: list all needed names before purchase.
  • Include variations: mail and www, with and without root domain.
  • Plan for expansion: some providers allow adding SANs later.
  • Test Autodiscover: use testconnectivity.microsoft.com.

UCC Checklist

  • All names listed
  • Autodiscover included
  • Certificate ordered with all SANs
  • Installed on server
  • Assigned to services
  • Outlook and OWA tested

Frequently Asked Questions

UCC vs Wildcard?

UCC covers specific domains, Wildcard covers all subdomains of one domain.

How many SANs can I have?

Depending on provider, from 25 to 250 SANs. Check before purchase.

Can I add a SAN after purchase?

Some providers allow it with an additional fee. Others require reissuance.

Does UCC work with O365?

For hybrid O365 yes. For pure O365, Microsoft manages certificates.

Can I mix domains and wildcards?

Yes, some providers allow including wildcards in SANs.

Is the first SAN special?

Yes, the first SAN is also the certificate's Common Name (CN).

Simplify with UCC

UCC certificates are ideal for multi-domain environments and Microsoft Exchange.

Monitor your UCC expiration with MoniTao to keep your communications secure.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing