This is starting to become a huge pet peeve for me that seems to get fed on a daily basis. I have written about it several times in the Microsoft forums because there is so much confusion.
When it comes to our choices for the public interface for Edge servers, we have the following:
- A certificate that uses a single name, the subject name, for each Edge role. That ends up being one cert for the Access Edge role and one cert for the Web Conferencing Edge role. Two individual certs.
- A Unified Communications Certificate (UCC) that has our Access Edge role name as the subject name, and subject alternatives names (yes, we use the Access Edge name for the first SAN entry) for the Access Edge and the Web Conferencing role names.
- Any certificate that supports server authentication that contains SAN fields so we can do the same thing as in the UCC.
- An internal/private CA that can issue a cert like in option 3. The problem with an internally issued cert is that the trusted root authority list on every client computer that will connect from the Internet must have the CA’s root cert imported to the certificate store.
There is NO requirement that we have to use a UCC. Really, when you get down to it, a UCC is nothing more than a marketing name that makes us think it is worth more than any other certificate that supports server authentication and SAN entries.
In other words, don’t waste your money on a UCC from a “approved vendor” when a cert from any third party trusted vendor will meet your needs.