Solved

GoDaddy Certificate Use With Exchange 2007 SP1

Posted on 2008-10-06
10
456 Views
Last Modified: 2010-04-21
Just wanting some information is all. I am looking at SSL certs for our Exchg 2K7 SP1 server and don't want to spend the $$$ that some high-profile vendors are suggesting for UCC/Wildcard certs. Our org is small (< 250 users). I currently have a single URL cert and have that setup in ISA 2K6 SP1 and is working ok. But, I used that just to get things up and going (a few months ago); i.e. OWA & mobile access. I'm looking at GoDaddy because of their price, but want to know about compatibility and the need to have to add the cert to local/client SSL Stores to prevent the cert security warning. Is the GoDaddy cert compatible right off the bat, or do clients (whether desktops/laptops from home, or mobile devices) need to add the cert to their local (personal) SSL store to prevent the cert security warning. If this is needed for GoDaddy certs, can anyone suggest a good-priced, COMPATIBLE cert?

Thanks in advance for all advice/suggestions!
0
Comment
Question by:coolsport00
  • 4
  • 2
  • 2
  • +1
10 Comments
 
LVL 17

Assisted Solution

by:Andres Perales
Andres Perales earned 150 total points
ID: 22650629
It is a compatible cert you do not need to distribute the certificate chain.
0
 
LVL 4

Expert Comment

by:Interserv
ID: 22650935
If you have Treo's that use mobile access, GoDaddy is not in the Treo trusted certs.  If you are not using Treo's then, GoDaddy should work fine as long as the phone that is using Mobile access trusts the CA.
0
 
LVL 40

Author Comment

by:coolsport00
ID: 22650998
That is my question "Interserv"...GoDaddy is the issuing CA; thus, is the cert trusted for clients/mobile devices?
0
 
LVL 17

Expert Comment

by:Andres Perales
ID: 22651064
It should be fine, I have a godaddy cert installed on my treo and i have not done anything special to it!
0
 
LVL 4

Assisted Solution

by:Interserv
Interserv earned 100 total points
ID: 22651533
We had issues getting the intermediate godaddy cert to work on our Verizon Treo's.  With Entrust or Thawte you do not need to do anything special with the phones and the price isn't outrageous like Verisign.  I'm not sure if our issue was a Treo specific issue when we tried to use GoDaddy or if it was because Verizon like to lock things down on their network, but our entrust cert works great.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 31

Expert Comment

by:Paranormastic
ID: 22652718
Verisign is hands down the most compatible with any given product - if they have only one it would be them.  That being said, thawte and globalsign are then next up - the few products taht don't have them by default I think I have seen one.  geotrust (aka equifax) is nice because they resell their age-old root to other commercial CA's like rapidssl, so even though they are a 'newer' company (rapidssl has been around for many years themselves, but still take advatage of the even older root cert from globalsign).

GoDaddy was issuing under another older root, but has been moving towards using their own new root, which does not have the age ubiquity that others will have.  It comes down to the specific product as to which root they are issuing under as last I checked they were issuing different products under different roots - I'm not sure when they intend to transition or if they already are for some products - they would answer that better themselves (although they may not be able to divulge timetables, they can definately tell you which root they issue under).

RapidSSL would be my recommendation for lower price cert and ubiquity both in the environmental and age related sense.  
0
 
LVL 40

Author Comment

by:coolsport00
ID: 22660767
Well, last 'question' (completely related to this post tho)...

So, are you guys saying that a wildcard cert from Go Daddy will work with Exchange 2K7 and my mobile devices? Do you have experience with this or just going off what you're read around in other posts/websites?

Thanks.
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 250 total points
ID: 22661000
There is no reason that it should not work.  Depending on which type of handheld you have, it may or may not already have the root CA cert chain installed, but if not you could just download that from GoDaddy and install it.  Their ValiCert root is installed by default in Palm 6.1+, BlackBerry 4.1+ WinMobile 2005 AKU2+, Cingular WAP (any), and some newer Nokias.  That is from their ubiquity (compatibility) article, which talks about their older root:
http://help.godaddy.com/article/1140

If you need help with installing the root chain in Exchange:
http://help.godaddy.com/article/4877

You could also have this link for your clients to push the latest root certificate chain, if needed.  here is the general article discussing the MS root certificate program - a bit further down are links on how to update it for various OS:
http://support.microsoft.com/kb/931125
Download link:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F814EC0E-EE7E-435E-99F8-20B44D4531B0&displaylang=en
Note that Vista/2008 will attempt to update the root cert automatically for unknown roots - if they exist in the MS root cert program then they will be downloaded individually as needed.
0
 
LVL 40

Author Comment

by:coolsport00
ID: 22668580
Well...I went ahead and got a GoDaddy cert (((nervously biting nails))) :)  And, I changed from a wildcard to a UCC cert; I dont like that I only get 5 URLs (could've added more for a bit more $$$), but it will suffice for now. I can increase the SANs next yr when I renew if need be I guess. Honestly, I did't really get the answer I wanted, but was given GREAT info nonetheless. Thank you all for the posts/info.
0
 
LVL 40

Author Closing Comment

by:coolsport00
ID: 31623596
I split the points based on the effort given. Thanks!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now