GoDaddy Certificate Use With Exchange 2007 SP1

Just wanting some information is all. I am looking at SSL certs for our Exchg 2K7 SP1 server and don't want to spend the $$$ that some high-profile vendors are suggesting for UCC/Wildcard certs. Our org is small (< 250 users). I currently have a single URL cert and have that setup in ISA 2K6 SP1 and is working ok. But, I used that just to get things up and going (a few months ago); i.e. OWA & mobile access. I'm looking at GoDaddy because of their price, but want to know about compatibility and the need to have to add the cert to local/client SSL Stores to prevent the cert security warning. Is the GoDaddy cert compatible right off the bat, or do clients (whether desktops/laptops from home, or mobile devices) need to add the cert to their local (personal) SSL store to prevent the cert security warning. If this is needed for GoDaddy certs, can anyone suggest a good-priced, COMPATIBLE cert?

Thanks in advance for all advice/suggestions!
LVL 40
coolsport00Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
ParanormasticConnect With a Mentor Cryptographic EngineerCommented:
There is no reason that it should not work.  Depending on which type of handheld you have, it may or may not already have the root CA cert chain installed, but if not you could just download that from GoDaddy and install it.  Their ValiCert root is installed by default in Palm 6.1+, BlackBerry 4.1+ WinMobile 2005 AKU2+, Cingular WAP (any), and some newer Nokias.  That is from their ubiquity (compatibility) article, which talks about their older root:
http://help.godaddy.com/article/1140

If you need help with installing the root chain in Exchange:
http://help.godaddy.com/article/4877

You could also have this link for your clients to push the latest root certificate chain, if needed.  here is the general article discussing the MS root certificate program - a bit further down are links on how to update it for various OS:
http://support.microsoft.com/kb/931125
Download link:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F814EC0E-EE7E-435E-99F8-20B44D4531B0&displaylang=en
Note that Vista/2008 will attempt to update the root cert automatically for unknown roots - if they exist in the MS root cert program then they will be downloaded individually as needed.
0
 
Andres PeralesConnect With a Mentor Commented:
It is a compatible cert you do not need to distribute the certificate chain.
0
 
InterservCommented:
If you have Treo's that use mobile access, GoDaddy is not in the Treo trusted certs.  If you are not using Treo's then, GoDaddy should work fine as long as the phone that is using Mobile access trusts the CA.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
coolsport00Author Commented:
That is my question "Interserv"...GoDaddy is the issuing CA; thus, is the cert trusted for clients/mobile devices?
0
 
Andres PeralesCommented:
It should be fine, I have a godaddy cert installed on my treo and i have not done anything special to it!
0
 
InterservConnect With a Mentor Commented:
We had issues getting the intermediate godaddy cert to work on our Verizon Treo's.  With Entrust or Thawte you do not need to do anything special with the phones and the price isn't outrageous like Verisign.  I'm not sure if our issue was a Treo specific issue when we tried to use GoDaddy or if it was because Verizon like to lock things down on their network, but our entrust cert works great.
0
 
ParanormasticCryptographic EngineerCommented:
Verisign is hands down the most compatible with any given product - if they have only one it would be them.  That being said, thawte and globalsign are then next up - the few products taht don't have them by default I think I have seen one.  geotrust (aka equifax) is nice because they resell their age-old root to other commercial CA's like rapidssl, so even though they are a 'newer' company (rapidssl has been around for many years themselves, but still take advatage of the even older root cert from globalsign).

GoDaddy was issuing under another older root, but has been moving towards using their own new root, which does not have the age ubiquity that others will have.  It comes down to the specific product as to which root they are issuing under as last I checked they were issuing different products under different roots - I'm not sure when they intend to transition or if they already are for some products - they would answer that better themselves (although they may not be able to divulge timetables, they can definately tell you which root they issue under).

RapidSSL would be my recommendation for lower price cert and ubiquity both in the environmental and age related sense.  
0
 
coolsport00Author Commented:
Well, last 'question' (completely related to this post tho)...

So, are you guys saying that a wildcard cert from Go Daddy will work with Exchange 2K7 and my mobile devices? Do you have experience with this or just going off what you're read around in other posts/websites?

Thanks.
0
 
coolsport00Author Commented:
Well...I went ahead and got a GoDaddy cert (((nervously biting nails))) :)  And, I changed from a wildcard to a UCC cert; I dont like that I only get 5 URLs (could've added more for a bit more $$$), but it will suffice for now. I can increase the SANs next yr when I renew if need be I guess. Honestly, I did't really get the answer I wanted, but was given GREAT info nonetheless. Thank you all for the posts/info.
0
 
coolsport00Author Commented:
I split the points based on the effort given. Thanks!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.