Posted on 2008-11-20
Last Modified: 2012-05-05
finally got my exchange 2k7 migrated from 2k3 and on a 2k8 box.  IIS7 is a whole diff animal for me..i need to create a certificate for my OWA site.  I have heard about self signed SSL's but not sure how they work.  I usually just purchase one from verisign and import it and done with it.  Trying to do this very inexpensively.  Second part is, last 2k7 install i did, i wasn't able to purchase a multiple domain SSL, so it screwed up my autodiscover.  I ended up creating a second website for autodiscover and creating a dns record for it.   Has anyone put a CA ssl or a self signed ssl on owa running on IIS7 and what is best practice...thanks
Question by:jasonmichel
    LVL 31

    Expert Comment

    You *can do this with a self-signed certificate, however if you are using OWA you probably don't want to.

    Self-signed certs would be deployed similarily to a root CA certificate - i.e. you would need to import each one into the trusted root certificate store of each box that will be connecting to your exchange enivornment.  If you don't use owa then it should be easy enough to push those through GPO to your workstations.  If you do have users that don't use company assests to connect to exchange (e.g. you connect from your home computer to check your email) then you would need to pass out instructions and deal with all the support calls that will arise from that (there will likely be calls, even though it is a simple process... they call... they always call...).

    Using a UCC cert from a commercial CA, be it Verisign, Comodo, or whomever is probably still going to be the best bet.  GoDaddy is cheap, but sometimes there are issues as their root that they issue under is fairly new.  If you use mobile devices as a corporate resource, check out their existing root cert store and base your decision from there to reduce the headache of updating all your phones.
    LVL 1

    Author Comment

    i need a UCC SSL for outlook anywhere or mobile devices don't i?
    LVL 31

    Accepted Solution

    UCC certs just make things easier and is usually the preferred solution.

    If you have your own CA, you could use that also under the same stipulations that I gave for the self-signed cert (you would have to deploy your root CA cert).  If you enabled SAN on the CA then you can add the extra names as a SAN value to your own free certs - which a UCC cert is essentially a SAN cert for all practical purposes.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
    Create high volume marketing opportunities using email signatures with these top 10 DOs and DON'Ts of email signature marketing.
    In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
    To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now