Switching from self-signed certificates to commerical TLS/SSL cert: will it work the way I expect?

Question

New to the world of commercial certs, thanks in advance for any advice/guidance.

Our only outbound service is email, hosted on MS Exchange 2016 (2019 in medium-term future). Internally we have several services with browser interfaces. Most of these are hosted on MS Server 2016 boxes (also 2019 in medium-term future) but one is on RHEL 7.

I am trying to solve two problems: externally, many email recipients report delivery to junk/spam mail, although we're not on any blacklists and our reputation is neutral; and internally, browsers complain about the self-signed certs and some deny access entirely.

My reading suggests that I want a wildcard TLS/SSL certificate. Looks like I can install on multiple servers, both internal and external, as long as they all know the private key that generated the original CSR.

Am I reading internet info correctly, and do you see any red flags in what I'm trying to do? Thanks very much.

Answer 1

I am trying to solve two problems: externally, many email recipients report delivery to junk/spam mail, although we're not on any blacklists and our reputation is neutral; and internally, browsers complain about the self-signed certs and some deny access entirely.

To solve the first problem, you may need to setup SPF/DKIM/DMARC records in the public DNS for your domain. It is not really a problem related to certificates.

You can find many documents on the Internet about this topic.

To solve the second problem, you can either import the self-signed certificates to the Trusted Root Certification Authorities of the client devices to have them trust these certificates, or use a commercial certificate which by default will be trusted by the clients.

Here is a Microsoft document about Exchange certificates which may be helpful for your reference: Digital certificates and encryption in Exchange Server